berbew | 57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4ca

Analysis

max time kernel
73s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4caN.exe
Size

94KB
MD5

e3afe383097d039e6ff80b03a0ad00a0
SHA1

339366dade3229542d88d48bee55f4d41597a0be
SHA256

57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4ca
SHA512

580d6ce858cd14551c894c7153e4f74432546b8bd275667c628374bc69df828aed9db6571a49e6ec0005f30733b416f55621273dba84d43e12198c095cfd6b46
SSDEEP

1536:1ZWWtGeHv0t3I7/NvwTS0KhAF1VdTz3QfhZh57BR9L4DT2EnINs:yWtfv0t3qeTxKheVdTz3QDh56+ob

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jijacjnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaahk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kppldhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Keoabo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhkbmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qldjdlgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qldjdlgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeaahk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lophacfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfpnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgqmpkfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebappk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anecfgdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anecfgdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnhhge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmiejji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbnlaqhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndafcmci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aejnfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blkmdodf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Donojm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpdankjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4caN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mldeik32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndafcmci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Appbcn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhhge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqkjmcmq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obcffefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcdldknm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogljj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bogljj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bceeqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epqgopbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obcffefa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bggjjlnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Donojm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbfjkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbgkfbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onoqfehp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifengpdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncnjeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afcdpi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnjeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pidaba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mldeik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhbmip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqmpkfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccgnelll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpoohik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Appbcn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckecpjdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkeoongd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekghcq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jijacjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlolnllf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdojnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onoqfehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pefhlcdk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaflgb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2828	Iqhfnifq.exe
2196	Ifengpdh.exe
2960	Jbnlaqhi.exe
2416	Jijacjnc.exe
2080	Jeaahk32.exe
1252	Jecnnk32.exe
1800	Jpmooind.exe
2148	Kppldhla.exe
2312	Keoabo32.exe
2912	Klkfdi32.exe
940	Lbgkfbbj.exe
460	Llpoohik.exe
1796	Lophacfl.exe
2260	Lpdankjg.exe
2512	Lgnjke32.exe
2580	Lgpfpe32.exe
2012	Mlolnllf.exe
1036	Mehpga32.exe
1680	Mldeik32.exe
2596	Mdojnm32.exe
1932	Ndafcmci.exe
2584	Nphghn32.exe
1316	Ndfpnl32.exe
2528	Nopaoj32.exe
2248	Ncnjeh32.exe
2724	Nhkbmo32.exe
2772	Obcffefa.exe
2748	Ooidei32.exe
2792	Oiahnnji.exe
2624	Onoqfehp.exe
2324	Pjhnqfla.exe
2940	Pcpbik32.exe
3036	Pimkbbpi.exe
2432	Pcdldknm.exe
2316	Pefhlcdk.exe
2904	Pidaba32.exe
1308	Qldjdlgb.exe
752	Anecfgdc.exe
2428	Aaflgb32.exe
2044	Afcdpi32.exe
1396	Apkihofl.exe
1864	Aejnfe32.exe
904	Appbcn32.exe
2460	Bbqkeioh.exe
3068	Bogljj32.exe
2132	Blkmdodf.exe
2184	Bceeqi32.exe
1636	Bhbmip32.exe
1808	Bakaaepk.exe
2768	Bggjjlnb.exe
2820	Cdkkcp32.exe
1540	Ckecpjdh.exe
2652	Cdngip32.exe
688	Ckhpejbf.exe
3024	Cgnpjkhj.exe
2300	Cnhhge32.exe
2424	Cgqmpkfg.exe
1160	Chbihc32.exe
1488	Ccgnelll.exe
580	Djafaf32.exe
2128	Donojm32.exe
2464	Ddkgbc32.exe
1668	Dkeoongd.exe
1596	Ddmchcnd.exe

Loads dropped DLL 64 IoCs

pid	Process
2484	57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4caN.exe
2484	57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4caN.exe
2828	Iqhfnifq.exe
2828	Iqhfnifq.exe
2196	Ifengpdh.exe
2196	Ifengpdh.exe
2960	Jbnlaqhi.exe
2960	Jbnlaqhi.exe
2416	Jijacjnc.exe
2416	Jijacjnc.exe
2080	Jeaahk32.exe
2080	Jeaahk32.exe
1252	Jecnnk32.exe
1252	Jecnnk32.exe
1800	Jpmooind.exe
1800	Jpmooind.exe
2148	Kppldhla.exe
2148	Kppldhla.exe
2312	Keoabo32.exe
2312	Keoabo32.exe
2912	Klkfdi32.exe
2912	Klkfdi32.exe
940	Lbgkfbbj.exe
940	Lbgkfbbj.exe
460	Llpoohik.exe
460	Llpoohik.exe
1796	Lophacfl.exe
1796	Lophacfl.exe
2260	Lpdankjg.exe
2260	Lpdankjg.exe
2512	Lgnjke32.exe
2512	Lgnjke32.exe
2580	Lgpfpe32.exe
2580	Lgpfpe32.exe
2012	Mlolnllf.exe
2012	Mlolnllf.exe
1036	Mehpga32.exe
1036	Mehpga32.exe
1680	Mldeik32.exe
1680	Mldeik32.exe
2596	Mdojnm32.exe
2596	Mdojnm32.exe
1932	Ndafcmci.exe
1932	Ndafcmci.exe
2584	Nphghn32.exe
2584	Nphghn32.exe
1316	Ndfpnl32.exe
1316	Ndfpnl32.exe
2528	Nopaoj32.exe
2528	Nopaoj32.exe
2248	Ncnjeh32.exe
2248	Ncnjeh32.exe
2724	Nhkbmo32.exe
2724	Nhkbmo32.exe
2772	Obcffefa.exe
2772	Obcffefa.exe
2748	Ooidei32.exe
2748	Ooidei32.exe
2792	Oiahnnji.exe
2792	Oiahnnji.exe
2624	Onoqfehp.exe
2624	Onoqfehp.exe
2324	Pjhnqfla.exe
2324	Pjhnqfla.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ebdqhg32.dll	Lgpfpe32.exe
File opened for modification	C:\Windows\SysWOW64\Nopaoj32.exe	Ndfpnl32.exe
File created	C:\Windows\SysWOW64\Obcffefa.exe	Nhkbmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ebappk32.exe	Ekghcq32.exe
File created	C:\Windows\SysWOW64\Hmekdl32.dll	Aaflgb32.exe
File created	C:\Windows\SysWOW64\Bbqkeioh.exe	Appbcn32.exe
File created	C:\Windows\SysWOW64\Mbiajn32.dll	Jijacjnc.exe
File created	C:\Windows\SysWOW64\Lhhkobjh.dll	Mdojnm32.exe
File created	C:\Windows\SysWOW64\Bedoacoi.dll	Bhbmip32.exe
File created	C:\Windows\SysWOW64\Ddmchcnd.exe	Dkeoongd.exe
File opened for modification	C:\Windows\SysWOW64\Enhaeldn.exe	Ebappk32.exe
File created	C:\Windows\SysWOW64\Egpena32.exe	Enhaeldn.exe
File opened for modification	C:\Windows\SysWOW64\Jijacjnc.exe	Jbnlaqhi.exe
File opened for modification	C:\Windows\SysWOW64\Lgpfpe32.exe	Lgnjke32.exe
File opened for modification	C:\Windows\SysWOW64\Afcdpi32.exe	Aaflgb32.exe
File created	C:\Windows\SysWOW64\Appbcn32.exe	Aejnfe32.exe
File created	C:\Windows\SysWOW64\Mhnkcm32.dll	Bbqkeioh.exe
File created	C:\Windows\SysWOW64\Jbnlaqhi.exe	Ifengpdh.exe
File created	C:\Windows\SysWOW64\Epqgopbi.exe	Ejcofica.exe
File opened for modification	C:\Windows\SysWOW64\Epqgopbi.exe	Ejcofica.exe
File created	C:\Windows\SysWOW64\Iqhfnifq.exe	57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4caN.exe
File created	C:\Windows\SysWOW64\Abhnddbn.dll	Jpmooind.exe
File created	C:\Windows\SysWOW64\Eqnpepil.dll	Ndfpnl32.exe
File opened for modification	C:\Windows\SysWOW64\Apkihofl.exe	Afcdpi32.exe
File created	C:\Windows\SysWOW64\Cgqmpkfg.exe	Cnhhge32.exe
File opened for modification	C:\Windows\SysWOW64\Mldeik32.exe	Mehpga32.exe
File created	C:\Windows\SysWOW64\Ipodji32.dll	Bceeqi32.exe
File opened for modification	C:\Windows\SysWOW64\Efffpjmk.exe	Dmmbge32.exe
File created	C:\Windows\SysWOW64\Mqpkpl32.dll	Ejcofica.exe
File created	C:\Windows\SysWOW64\Eeebeabe.dll	Llpoohik.exe
File created	C:\Windows\SysWOW64\Afcdpi32.exe	Aaflgb32.exe
File created	C:\Windows\SysWOW64\Kecfmlgq.dll	Cnhhge32.exe
File created	C:\Windows\SysWOW64\Bjcmdmiq.dll	Ddkgbc32.exe
File opened for modification	C:\Windows\SysWOW64\Cgqmpkfg.exe	Cnhhge32.exe
File created	C:\Windows\SysWOW64\Fdbnboph.dll	Dkgldm32.exe
File created	C:\Windows\SysWOW64\Jeaahk32.exe	Jijacjnc.exe
File created	C:\Windows\SysWOW64\Lophacfl.exe	Llpoohik.exe
File created	C:\Windows\SysWOW64\Mdojnm32.exe	Mldeik32.exe
File created	C:\Windows\SysWOW64\Pcpbik32.exe	Pjhnqfla.exe
File created	C:\Windows\SysWOW64\Pcdldknm.exe	Pimkbbpi.exe
File created	C:\Windows\SysWOW64\Bogljj32.exe	Bbqkeioh.exe
File created	C:\Windows\SysWOW64\Cgnpjkhj.exe	Ckhpejbf.exe
File opened for modification	C:\Windows\SysWOW64\Ddkgbc32.exe	Donojm32.exe
File created	C:\Windows\SysWOW64\Jecnnk32.exe	Jeaahk32.exe
File created	C:\Windows\SysWOW64\Bhbmip32.exe	Bceeqi32.exe
File created	C:\Windows\SysWOW64\Bjbmip32.dll	Iqhfnifq.exe
File opened for modification	C:\Windows\SysWOW64\Jbnlaqhi.exe	Ifengpdh.exe
File opened for modification	C:\Windows\SysWOW64\Jecnnk32.exe	Jeaahk32.exe
File created	C:\Windows\SysWOW64\Ghmnljbp.dll	Keoabo32.exe
File created	C:\Windows\SysWOW64\Jckenobm.dll	Nphghn32.exe
File opened for modification	C:\Windows\SysWOW64\Onoqfehp.exe	Oiahnnji.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Fbfjkj32.exe
File opened for modification	C:\Windows\SysWOW64\Ifengpdh.exe	Iqhfnifq.exe
File opened for modification	C:\Windows\SysWOW64\Ckecpjdh.exe	Cdkkcp32.exe
File created	C:\Windows\SysWOW64\Hepmik32.dll	57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4caN.exe
File created	C:\Windows\SysWOW64\Jijacjnc.exe	Jbnlaqhi.exe
File opened for modification	C:\Windows\SysWOW64\Jpmooind.exe	Jecnnk32.exe
File created	C:\Windows\SysWOW64\Klalgq32.dll	Lbgkfbbj.exe
File created	C:\Windows\SysWOW64\Ndafcmci.exe	Mdojnm32.exe
File created	C:\Windows\SysWOW64\Oengjm32.dll	Jeaahk32.exe
File created	C:\Windows\SysWOW64\Dhlmpmai.dll	Kppldhla.exe
File created	C:\Windows\SysWOW64\Lpdankjg.exe	Lophacfl.exe
File created	C:\Windows\SysWOW64\Qkbeqfel.dll	Ncnjeh32.exe
File opened for modification	C:\Windows\SysWOW64\Bhbmip32.exe	Bceeqi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2356	1572	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnpjkhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekghcq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccgnelll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djafaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfpnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhkbmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qldjdlgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceeqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pimkbbpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Appbcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbfjkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pefhlcdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckecpjdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqkjmcmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpena32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaahk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jecnnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mehpga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdldknm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bggjjlnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkkcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbnlaqhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgpfpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afcdpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apkihofl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhklna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4caN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kppldhla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlolnllf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpbik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebappk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jijacjnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphghn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddkgbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejcofica.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqmpkfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddbmcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbgkfbbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdojnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiahnnji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onoqfehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkgldm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lophacfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mldeik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chbihc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmchcnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdngip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifengpdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpmooind.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nopaoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhbmip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhaeldn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anecfgdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbqkeioh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efffpjmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epqgopbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqhfnifq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgnjke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhpejbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkeoongd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakaaepk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Donojm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klkfdi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnjeh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqddq32.dll"	Bakaaepk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epqgopbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmik32.dll"	57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbnlaqhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llpoohik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbqkeioh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbnlaqhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpmooind.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chbihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jijacjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgqmpkfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nphghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndfpnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onoqfehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfoacnc.dll"	Pcdldknm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnljbp.dll"	Keoabo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqnablhp.dll"	Mehpga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkgldm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peqiahfi.dll"	Dhklna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkcdb32.dll"	Aejnfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjcmdmiq.dll"	Ddkgbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afcdpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfhal32.dll"	Klkfdi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afcdpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbfjkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pefhlcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacgio32.dll"	Efffpjmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anecfgdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okeqhl32.dll"	Ndafcmci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pimkbbpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copjlmfa.dll"	Nhkbmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oiahnnji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icaipj32.dll"	Appbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmmbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iqhfnifq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klalgq32.dll"	Lbgkfbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdkkcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpcmnaip.dll"	Cgqmpkfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncnjeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckhpejbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpdankjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obcffefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcpbik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anecfgdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Appbcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlqogi32.dll"	Ifengpdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpmooind.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmchcnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ooidei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfdjljo.dll"	Afcdpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpfpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epqgopbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goigjpaa.dll"	Pefhlcdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nopaoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onoqfehp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddbmcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekghcq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaflgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienjoljk.dll"	Ckhpejbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iqhfnifq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhkbmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egpena32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mehpga32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2828	2484	57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4caN.exe	30
PID 2484 wrote to memory of 2828	2484	57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4caN.exe	30
PID 2484 wrote to memory of 2828	2484	57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4caN.exe	30
PID 2484 wrote to memory of 2828	2484	57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4caN.exe	30
PID 2828 wrote to memory of 2196	2828	Iqhfnifq.exe	31
PID 2828 wrote to memory of 2196	2828	Iqhfnifq.exe	31
PID 2828 wrote to memory of 2196	2828	Iqhfnifq.exe	31
PID 2828 wrote to memory of 2196	2828	Iqhfnifq.exe	31
PID 2196 wrote to memory of 2960	2196	Ifengpdh.exe	32
PID 2196 wrote to memory of 2960	2196	Ifengpdh.exe	32
PID 2196 wrote to memory of 2960	2196	Ifengpdh.exe	32
PID 2196 wrote to memory of 2960	2196	Ifengpdh.exe	32
PID 2960 wrote to memory of 2416	2960	Jbnlaqhi.exe	33
PID 2960 wrote to memory of 2416	2960	Jbnlaqhi.exe	33
PID 2960 wrote to memory of 2416	2960	Jbnlaqhi.exe	33
PID 2960 wrote to memory of 2416	2960	Jbnlaqhi.exe	33
PID 2416 wrote to memory of 2080	2416	Jijacjnc.exe	34
PID 2416 wrote to memory of 2080	2416	Jijacjnc.exe	34
PID 2416 wrote to memory of 2080	2416	Jijacjnc.exe	34
PID 2416 wrote to memory of 2080	2416	Jijacjnc.exe	34
PID 2080 wrote to memory of 1252	2080	Jeaahk32.exe	35
PID 2080 wrote to memory of 1252	2080	Jeaahk32.exe	35
PID 2080 wrote to memory of 1252	2080	Jeaahk32.exe	35
PID 2080 wrote to memory of 1252	2080	Jeaahk32.exe	35
PID 1252 wrote to memory of 1800	1252	Jecnnk32.exe	36
PID 1252 wrote to memory of 1800	1252	Jecnnk32.exe	36
PID 1252 wrote to memory of 1800	1252	Jecnnk32.exe	36
PID 1252 wrote to memory of 1800	1252	Jecnnk32.exe	36
PID 1800 wrote to memory of 2148	1800	Jpmooind.exe	37
PID 1800 wrote to memory of 2148	1800	Jpmooind.exe	37
PID 1800 wrote to memory of 2148	1800	Jpmooind.exe	37
PID 1800 wrote to memory of 2148	1800	Jpmooind.exe	37
PID 2148 wrote to memory of 2312	2148	Kppldhla.exe	38
PID 2148 wrote to memory of 2312	2148	Kppldhla.exe	38
PID 2148 wrote to memory of 2312	2148	Kppldhla.exe	38
PID 2148 wrote to memory of 2312	2148	Kppldhla.exe	38
PID 2312 wrote to memory of 2912	2312	Keoabo32.exe	39
PID 2312 wrote to memory of 2912	2312	Keoabo32.exe	39
PID 2312 wrote to memory of 2912	2312	Keoabo32.exe	39
PID 2312 wrote to memory of 2912	2312	Keoabo32.exe	39
PID 2912 wrote to memory of 940	2912	Klkfdi32.exe	40
PID 2912 wrote to memory of 940	2912	Klkfdi32.exe	40
PID 2912 wrote to memory of 940	2912	Klkfdi32.exe	40
PID 2912 wrote to memory of 940	2912	Klkfdi32.exe	40
PID 940 wrote to memory of 460	940	Lbgkfbbj.exe	41
PID 940 wrote to memory of 460	940	Lbgkfbbj.exe	41
PID 940 wrote to memory of 460	940	Lbgkfbbj.exe	41
PID 940 wrote to memory of 460	940	Lbgkfbbj.exe	41
PID 460 wrote to memory of 1796	460	Llpoohik.exe	42
PID 460 wrote to memory of 1796	460	Llpoohik.exe	42
PID 460 wrote to memory of 1796	460	Llpoohik.exe	42
PID 460 wrote to memory of 1796	460	Llpoohik.exe	42
PID 1796 wrote to memory of 2260	1796	Lophacfl.exe	43
PID 1796 wrote to memory of 2260	1796	Lophacfl.exe	43
PID 1796 wrote to memory of 2260	1796	Lophacfl.exe	43
PID 1796 wrote to memory of 2260	1796	Lophacfl.exe	43
PID 2260 wrote to memory of 2512	2260	Lpdankjg.exe	44
PID 2260 wrote to memory of 2512	2260	Lpdankjg.exe	44
PID 2260 wrote to memory of 2512	2260	Lpdankjg.exe	44
PID 2260 wrote to memory of 2512	2260	Lpdankjg.exe	44
PID 2512 wrote to memory of 2580	2512	Lgnjke32.exe	45
PID 2512 wrote to memory of 2580	2512	Lgnjke32.exe	45
PID 2512 wrote to memory of 2580	2512	Lgnjke32.exe	45
PID 2512 wrote to memory of 2580	2512	Lgnjke32.exe	45

C:\Users\Admin\AppData\Local\Temp\57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4caN.exe
"C:\Users\Admin\AppData\Local\Temp\57cffa91b7bd9a7cdcf99249d0fd9413022fbede555e90c3a1009b61d4acb4caN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\Iqhfnifq.exe
  C:\Windows\system32\Iqhfnifq.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\Ifengpdh.exe
    C:\Windows\system32\Ifengpdh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\Jbnlaqhi.exe
      C:\Windows\system32\Jbnlaqhi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\SysWOW64\Jijacjnc.exe
        
        C:\Windows\system32\Jijacjnc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Windows\SysWOW64\Jeaahk32.exe
        
        C:\Windows\system32\Jeaahk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Jecnnk32.exe
        
        C:\Windows\system32\Jecnnk32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Jpmooind.exe
        
        C:\Windows\system32\Jpmooind.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Kppldhla.exe
        
        C:\Windows\system32\Kppldhla.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Keoabo32.exe
        
        C:\Windows\system32\Keoabo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Klkfdi32.exe
        
        C:\Windows\system32\Klkfdi32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Lbgkfbbj.exe
        
        C:\Windows\system32\Lbgkfbbj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Llpoohik.exe
        
        C:\Windows\system32\Llpoohik.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Lophacfl.exe
        
        C:\Windows\system32\Lophacfl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Lpdankjg.exe
        
        C:\Windows\system32\Lpdankjg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Lgnjke32.exe
        
        C:\Windows\system32\Lgnjke32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Lgpfpe32.exe
        
        C:\Windows\system32\Lgpfpe32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Mlolnllf.exe
        
        C:\Windows\system32\Mlolnllf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Mehpga32.exe
        
        C:\Windows\system32\Mehpga32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Mldeik32.exe
        
        C:\Windows\system32\Mldeik32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Mdojnm32.exe
        
        C:\Windows\system32\Mdojnm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Ndafcmci.exe
        
        C:\Windows\system32\Ndafcmci.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Nphghn32.exe
        
        C:\Windows\system32\Nphghn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Ndfpnl32.exe
        
        C:\Windows\system32\Ndfpnl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Nopaoj32.exe
        
        C:\Windows\system32\Nopaoj32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Ncnjeh32.exe
        
        C:\Windows\system32\Ncnjeh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Nhkbmo32.exe
        
        C:\Windows\system32\Nhkbmo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Obcffefa.exe
        
        C:\Windows\system32\Obcffefa.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Ooidei32.exe
        
        C:\Windows\system32\Ooidei32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Oiahnnji.exe
        
        C:\Windows\system32\Oiahnnji.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Onoqfehp.exe
        
        C:\Windows\system32\Onoqfehp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Pjhnqfla.exe
        
        C:\Windows\system32\Pjhnqfla.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Pcpbik32.exe
        
        C:\Windows\system32\Pcpbik32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Pimkbbpi.exe
        
        C:\Windows\system32\Pimkbbpi.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Pcdldknm.exe
        
        C:\Windows\system32\Pcdldknm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Pefhlcdk.exe
        
        C:\Windows\system32\Pefhlcdk.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Pidaba32.exe
        
        C:\Windows\system32\Pidaba32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Qldjdlgb.exe
        
        C:\Windows\system32\Qldjdlgb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\Anecfgdc.exe
        
        C:\Windows\system32\Anecfgdc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Aaflgb32.exe
        
        C:\Windows\system32\Aaflgb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Afcdpi32.exe
        
        C:\Windows\system32\Afcdpi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Apkihofl.exe
        
        C:\Windows\system32\Apkihofl.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Aejnfe32.exe
        
        C:\Windows\system32\Aejnfe32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Appbcn32.exe
        
        C:\Windows\system32\Appbcn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Bbqkeioh.exe
        
        C:\Windows\system32\Bbqkeioh.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Bogljj32.exe
        
        C:\Windows\system32\Bogljj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\Blkmdodf.exe
        
        C:\Windows\system32\Blkmdodf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\Bceeqi32.exe
        
        C:\Windows\system32\Bceeqi32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Bhbmip32.exe
        
        C:\Windows\system32\Bhbmip32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Bakaaepk.exe
        
        C:\Windows\system32\Bakaaepk.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Bggjjlnb.exe
        
        C:\Windows\system32\Bggjjlnb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\Cdkkcp32.exe
        
        C:\Windows\system32\Cdkkcp32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Ckecpjdh.exe
        
        C:\Windows\system32\Ckecpjdh.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Cdngip32.exe
        
        C:\Windows\system32\Cdngip32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\Ckhpejbf.exe
        
        C:\Windows\system32\Ckhpejbf.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Cgnpjkhj.exe
        
        C:\Windows\system32\Cgnpjkhj.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Cnhhge32.exe
        
        C:\Windows\system32\Cnhhge32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\SysWOW64\Cgqmpkfg.exe
        
        C:\Windows\system32\Cgqmpkfg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Chbihc32.exe
        
        C:\Windows\system32\Chbihc32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Ccgnelll.exe
        
        C:\Windows\system32\Ccgnelll.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Djafaf32.exe
        
        C:\Windows\system32\Djafaf32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\SysWOW64\Donojm32.exe
        
        C:\Windows\system32\Donojm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Ddkgbc32.exe
        
        C:\Windows\system32\Ddkgbc32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Dkeoongd.exe
        
        C:\Windows\system32\Dkeoongd.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\Ddmchcnd.exe
        
        C:\Windows\system32\Ddmchcnd.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Dkgldm32.exe
        
        C:\Windows\system32\Dkgldm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Dhklna32.exe
        
        C:\Windows\system32\Dhklna32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Djmiejji.exe
        
        C:\Windows\system32\Djmiejji.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1496
        
        C:\Windows\SysWOW64\Ddbmcb32.exe
        
        C:\Windows\system32\Ddbmcb32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:304
        
        C:\Windows\SysWOW64\Dmmbge32.exe
        
        C:\Windows\system32\Dmmbge32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Efffpjmk.exe
        
        C:\Windows\system32\Efffpjmk.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Eqkjmcmq.exe
        
        C:\Windows\system32\Eqkjmcmq.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\Ejcofica.exe
        
        C:\Windows\system32\Ejcofica.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\Epqgopbi.exe
        
        C:\Windows\system32\Epqgopbi.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Ekghcq32.exe
        
        C:\Windows\system32\Ekghcq32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Ebappk32.exe
        
        C:\Windows\system32\Ebappk32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Enhaeldn.exe
        
        C:\Windows\system32\Enhaeldn.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Egpena32.exe
        
        C:\Windows\system32\Egpena32.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Fbfjkj32.exe
        
        C:\Windows\system32\Fbfjkj32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        80⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 140
        81⤵
        Program crash
        
        PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaflgb32.exe

Filesize
94KB

MD5
aa6c5ba460ed0aa2081065a9ee6f6bf2

SHA1
36fae78cb77e8067bf3b27e8dcb7cac9ef8f5af2

SHA256
2655f1fceec62c023081b14a516744becbcd2f7a15fc343bd8c1951e5b12bac2

SHA512
cfa0c533f0ac252897cc44ccfe0e004f08549e8ad1f9c836c65d0a0d0b2a0c77f6702669c4a6bfabd1f98e962064039d64fff1ed5dee8cad11ad1f54587af341

Download Submit
C:\Windows\SysWOW64\Aejnfe32.exe

Filesize
94KB

MD5
4c88007563a6ac7576767abec6295811

SHA1
14014529cbda21ec51aefa16cf9a1e1c1855ae88

SHA256
617cf9aab989e751af57985170b2b77c953ada442fb9dc768a675f561a440f4d

SHA512
0ea8ed5eda47eb90411f728f64b50f45467a4997f77e4cc752cb706e7770610d95c595d8d32021c57fc819bbdf395cfb6522d6ca088f7f89816a78047c4350c8

Download Submit
C:\Windows\SysWOW64\Afcdpi32.exe

Filesize
94KB

MD5
36bce883bb0925caf1d03f5efbe917bb

SHA1
95216fca9e5f7712b1a444fa494fac257d5d144e

SHA256
10a9fe965aae5670a09b2939cff9fe3d2c981708be9470e9af5cb9f093d907e8

SHA512
0ec731fb86a47b4fff68af2d16173c76f3b7965f83d5d4c6ab8bdae8397af20e6cc50bb2e499d5768105824cc8e7aee6856d4f724505f24c91a98b3e690d7f21

Download Submit
C:\Windows\SysWOW64\Anecfgdc.exe

Filesize
94KB

MD5
8091ce1d8dd52241830d97b61efbc200

SHA1
257e017cb338369657ebff7ac4b6b2b8cce4327a

SHA256
b2c69de454543c65a6c2d9461299360179f58d67e3d8c5ea276e05daed12b852

SHA512
7eb66e24302d62b0f525482ac848df607879f3defbbbdde6c76129d363397e75e764054ec3a7d3fa9639bac04241c8d607f74a8e7e943825a1a1358719e8b409

Download Submit
C:\Windows\SysWOW64\Apkihofl.exe

Filesize
94KB

MD5
53db33bbde109118e97de3b62114e5e9

SHA1
7ee9fa87be377c30eb919a97b72f11fbbb9e6eb7

SHA256
42572b85850bb86f55a5a289dc0721d14ab02cb27c8eeed1a441d2c9973bba23

SHA512
31b8f9501bff12eceb888772f93e8947fd849d47d79869258e59dfd3c6540973fe57bc9a33d7af00f67ef53d2e67b25d031b9f5f5d601db13b1346a01f6b176b

Download Submit
C:\Windows\SysWOW64\Appbcn32.exe

Filesize
94KB

MD5
08fe43237c529cb51114a31f9eeb86e0

SHA1
2bf01bb199b03423773343af98360757208fe39b

SHA256
65c9ac2cbe8b3410202d3827bf5faac686ebfedaeb0306347492f406c14db026

SHA512
361adf9b8f52122af84d9be3f511aa4f69ec59e13dee8effad2b5b20c9c901482616f90c39c6b2459df4bc81637d66bb870237d77d8dcd4aa0114c0e50aa7f5c

Download Submit
C:\Windows\SysWOW64\Bakaaepk.exe

Filesize
94KB

MD5
0851492b23234dfd881d9241422cdfb1

SHA1
62fd8edced3219fed7fd305fca3149bdb399897b

SHA256
cabc17b7f0850e41b15e295ec6b683e8aa1adb7b23595a73877c64964803964a

SHA512
b3b32337b5c082074bd5e598b155c9f326ed39c5f5ae8d9be4762180c238a7e0cd7efbe1a381d2a335a287574b4f9732be2e328c2dcb19bcf07a0cd5445b322f

Download Submit
C:\Windows\SysWOW64\Bbqkeioh.exe

Filesize
94KB

MD5
eb3d5c73fee0dbf90445194547807fb1

SHA1
4e3ef40382f7ad71f58c3f44dba3d21bc981529f

SHA256
4bcb08dd2882ddb0cd3aee179224dc0a787ca48ddc7e122d656ee900b5cd2cab

SHA512
d08e113553560e62dbbfb066610b7735dc0e8470c22f537c6cb552fb932ad2f196f5b9734d7975c649ef7c955cad397585d6252e50d3d96481672e92c5cba72e

Download Submit
C:\Windows\SysWOW64\Bceeqi32.exe

Filesize
94KB

MD5
7440f69c8f8a71a20f17006193ad19f9

SHA1
1fd7e48c28cb015212399670fae5ebff71e2bf86

SHA256
61242225ee3a7712fc1c65c5a2cb5f476f06c811fc5535a2b599135bdcb7f4df

SHA512
29d071ef3785cc8d801ffee7578c15aac3ba1810a3d65f1f6d858df06f50acce70994905299197346a8bf4523b35704b47f527cde7b4fe5f528da871c88ee601

Download Submit
C:\Windows\SysWOW64\Bggjjlnb.exe

Filesize
94KB

MD5
34c43b0d5c5087e69bfcdd4d03ac5fe4

SHA1
fde94998557abcdc5e10e66205e409b82336b8de

SHA256
721758b9176f231da483b772d035c171d98220a8fd3b5cf2c9609b9bcd08af30

SHA512
29503b55eeb054a738734718f53fc1c76ef7e9fac4ded6a51a6cfec22e96756687547d740c1b2071656dc09d34918efbe662d43b06665f80c267ca4efb897fc9

Download Submit
C:\Windows\SysWOW64\Bhbmip32.exe

Filesize
94KB

MD5
8ab8070f734561aaf689d0e9364159c9

SHA1
3f379bcaec01d1ec2c5f25e2360fbaf9f7ffa69f

SHA256
0a7b796ff3c8fdfc7e27a8a2b2b8ae0748befb14c2db0aa5e4075c1d86e9641c

SHA512
badcad711e583817f2ed21792787092b897163a4010109b29a161126256ab719db8f2d6dbfeaf68c4e9a7092073cf5a8f09f7e38d86391bd8100df4ff9c93745

Download Submit
C:\Windows\SysWOW64\Blkmdodf.exe

Filesize
94KB

MD5
26ada06ee8be01389aca7515195613a0

SHA1
9f0285182a372fda418d8d42053fa538e7f36a3e

SHA256
ae1ae2d51840ddbf15dbd9dd7d5f9a998d30b5e2edd16680c3e41063ffc0de5e

SHA512
d22b98339ddc771e3393a5512685be4e79ca060a1331ef8f41a881b0df5021b9e2e2682d0c8089b38a2f52ec8389160cc1fe62e01c7b2f40b6b527e5336dc948

Download Submit
C:\Windows\SysWOW64\Bogljj32.exe

Filesize
94KB

MD5
c9a1c5dd14741d718d0f3f66d88e7fc1

SHA1
300b62e447f0a610c91761bdaab7bfddad7f1885

SHA256
ba6205239ba09fe1a403dc8331eef9da85cf8b2ca4e42c8d2f690fffca9a8747

SHA512
491b19dabfdef8a207090ac04087d92671362e8342d13d731b604f335c53e2faf0620357a4986312ca91a290e6ac309f96d5555c15e458e1d994d7046923767a

Download Submit
C:\Windows\SysWOW64\Ccgnelll.exe

Filesize
94KB

MD5
002713bf4f39a89b258f1a87c0046ff6

SHA1
d282b0b12878dc4591e026f9ad3897e8fc2b2d99

SHA256
2047bb0471d1f1ec17b4365906ab74e110c61c35af5c28094a117ef547f84896

SHA512
d0cc640ae8b643820e8a2d284572d72bac01d9526e3112312193f0c033cfd3d5b0ed5811caf1bab064081aa2b50b203aad023369fd987bd5e0ef4d6cf9ae9e08

Download Submit
C:\Windows\SysWOW64\Cdkkcp32.exe

Filesize
94KB

MD5
3fc838daf66dbf98af5fd68791e98477

SHA1
e91c8da10213def999ac899ea1a2e693b98a0b96

SHA256
846989d470db0363baf4f0b963a013e9ec5b56f3e2261968ae2f1bf2655a99f2

SHA512
e7f076d45e3512b1b1e3f7122b7604e777d6145bc5795f2ab466441acf0ebad7dd774355f33d96251e289f80614a2b3e9f9813396d472a31d371896c658e3b67

Download Submit
C:\Windows\SysWOW64\Cdngip32.exe

Filesize
94KB

MD5
c20917d2075e98491f6419f8864dac87

SHA1
24cf0dedf65619de0a62e3aca14cf4bc3a84c50e

SHA256
283519277bb047c792d0dc423187599a0ed6fdef8dc49818a751813d1c3b27e0

SHA512
ba43e36eb15a70b6cbf5c82df36c78e01a6cb46d6fc1fb293a4df58cf399d2b5ab24dfc132c14147cf52dd2606e6bc3dc3447946bcbfb12cf0368e4a9f0bce2a

Download Submit
C:\Windows\SysWOW64\Cgnpjkhj.exe

Filesize
94KB

MD5
6eb0eae3c4cd4fae5eaebd04757023dc

SHA1
a93421e1884eb1bb3e2d327a65ffa99d5c38458b

SHA256
38e7051af99839ab7e1b7685274a36460fb5197035e2e6c4194caa62bca82c99

SHA512
bb3494136e689f206204aa381e51ee8dbb0415ec36a1d5479433479f1809a52c4716e60795eaf76c6fbff93d5a899385d57f8e101f9dbb8426760afd05f53bb0

Download Submit
C:\Windows\SysWOW64\Cgqmpkfg.exe

Filesize
94KB

MD5
85d7d4e53fdf99180033c720dac58f11

SHA1
8e0bc6acc7b58789e33cdc9206295da87502500e

SHA256
a3371cf183d33a859ba081eab0eacde948d65a54b32980d1d950413d0c2f2cc9

SHA512
ce8b3da0a788834615ddfd591300fc4b2fd747e3633cfc32249b8d29594cbf244952a5a2f0fdf392680882b6a187c8adfb5c107f3852ea369d84d6d15dfa5db9

Download Submit
C:\Windows\SysWOW64\Chbihc32.exe

Filesize
94KB

MD5
d948ae1768b8f8ea442872c0532bfe44

SHA1
a8fa18f73437d0bbeaf1b44f859ec330938cff66

SHA256
36738dcb52cc50eac1c1482466d5c171f86c8559e44c82ccd61bc390fe972bce

SHA512
332acc9ba831710f6a30e7730719d4f1d5659121c4020f18c027e3a83b8d1d467467d309d387a5c8e56e6cb54f9db2df3c109cd81d8035ca6be26a90ea44d702

Download Submit
C:\Windows\SysWOW64\Ckecpjdh.exe

Filesize
94KB

MD5
77fd751c996bb4fa62ad5d85658e94d7

SHA1
0561588537f45096102c3cf4ea8620579c27f60b

SHA256
f2829412d1fa501d7588fe4b4be8c4244c2cfb69034ab65fc32343465a22b229

SHA512
8b5eb454fef65bb02394f9b86ef4e66d8e24ed51c5793a4b88f8a56bc8b4fd1ffbdac3e9b827a2eaf754494717aed4c360b01118cdc4e309e2ff2b72bdf831b1

Download Submit
C:\Windows\SysWOW64\Ckhpejbf.exe

Filesize
94KB

MD5
579ff8a8a29484999d244dc1297c524a

SHA1
bda7c6ce12dee4e41249be859249fe4d9869a295

SHA256
1d5d17097c3bc67f6361aacc8ccb479cf627b4c8e314201470179449b1d839a2

SHA512
6cc8f60696e46ada9eb862f3005ea5402171c5e0bd1d644eae33a83d86efc1bde81485c602cc9075141fe31464475729384690bb7d9e00b8dc9461ec8c3b8da5

Download Submit
C:\Windows\SysWOW64\Cnhhge32.exe

Filesize
94KB

MD5
b2abc928d980e150a72e8a0e42a6190e

SHA1
c80dde3bf6c8a5b26fe7fd4f07f34ddbdcb966b6

SHA256
be0ae5df96f0582a0e1fbbc3973f3d3cfdd5d9f1a7a4271b7dcdc1356c0e4652

SHA512
67ea385d6bd712ac307a592834833783dde72dd5243e1ae626ae8cba0c39b7b543ea7135d4be8867c9e0abc1ad1d407b9c10e00c65f206fc6e4322e0165b331d

Download Submit
C:\Windows\SysWOW64\Ddbmcb32.exe

Filesize
94KB

MD5
b66dfeb09d601f58807c1179e6d77642

SHA1
5a3a9f68014126930f24d35cdf2aca80a346eb7d

SHA256
1ec0e8ccdd6f52b15e61e2d75e1530b27c3a0abc6720263ca3ee8a03997bc8dc

SHA512
370b8937fe7dbb2b1ee3ce2587971f796f6eb86735133bd7f8725f33355e79ab71e4c1241c79eb58f578d90f1698cbbd4b61dc9ed6d727c707c8197c09df1f94

Download Submit
C:\Windows\SysWOW64\Ddkgbc32.exe

Filesize
94KB

MD5
ff686b5baa9c84a5699166b2b2427581

SHA1
55188050e6f705a4684145794a16c2c746d64881

SHA256
75cf414ddeb667ef9cf6e0a8350df61e183337a3afb8fc85801594ad8500b978

SHA512
caa8e5e449a92e1cdbf1716f67c2dbfb2543b769f88a2f56aa2d679161697f46e7bff50e06ceb8372a902a0e70d566f1ebf28c8e9265ddfded0f2201f3fabf09

Download Submit
C:\Windows\SysWOW64\Ddmchcnd.exe

Filesize
94KB

MD5
30690e46be2d3c08f10000935115474f

SHA1
0f2a28d232ba3481ad865a9eee0f08cfe6bb3adc

SHA256
a2b12b7c25ad7769af70e6564b069d06175e5ce2ad71d42e76075d73793b5cf5

SHA512
411954dc68c08d180eab0573e880405e3d6bc366de8aade7f25f3691dcacaa103b2d46eb10d99ba8e86937b1a4d143fa1aa69d6a6526eca962a15d84cc030c16

Download Submit
C:\Windows\SysWOW64\Dhklna32.exe

Filesize
94KB

MD5
d0ea598b5b976313bb6896d49b5463ed

SHA1
6dc0737c7df596d0036e494f40aff0bfa73df82d

SHA256
5207cb7c2c57d9b234943092998333da2886bc0b15d480e007ef2792b861c153

SHA512
a216dfafad80c2006a721db96f3f267b42e039aec45836215663af2de8efab00d3a3ba5fa9aeb0eb513ff9fecad7f7b043050ccfd221b8107479efa682551cbc

Download Submit
C:\Windows\SysWOW64\Djafaf32.exe

Filesize
94KB

MD5
99316bb6e64de668c105fdbef11fdeed

SHA1
a686153b3566501300dfc241f97fa2ac90740f59

SHA256
57be12ae6a1d2983419f54eb39952911d2764dfdf50c07de2b45e2cfb072e0e0

SHA512
9cc84a3683574fe24bf01e5a67c4b5f19042b6cee731337da58234e67e5e8f596eebb4adf510c221b6dae6c4ed8c0cdbc113e483834c0f710c8abce29303ec94

Download Submit
C:\Windows\SysWOW64\Djmiejji.exe

Filesize
94KB

MD5
d7f9c189e13d213b5471d8b3b850d72f

SHA1
83f6ad4a13af893b0c4d69727a651c5957cc0bf2

SHA256
c380c52af3f5fd46eaaa49c0fe2afe875e1851c86e40c60658cba857605274b5

SHA512
8ef55dc525dc196a234a4a9fc2e970d3b86323005aedf411760712f1f05e1d5ba2b04d05d70c6f8d6612b49115b9d6183379d7358596849e2a562809b5427bbb

Download Submit
C:\Windows\SysWOW64\Dkeoongd.exe

Filesize
94KB

MD5
3e965d3d8c1874fa942a14f03e454038

SHA1
3fa16c55ffc2013dba4717b8d66775e902d8f648

SHA256
a8ed26892fca8fe166a29f61b65922c4e986d20e33d99cac937641cc58cd3e1d

SHA512
5c39d6c02d63f3d68809d3633ffada0582e11b588be7e9b1663aca526861cbfcac7945aa50d5dc0b599c70efc20ca1e22df7ffe85ee2a27cd54991a8e129246e

Download Submit
C:\Windows\SysWOW64\Dkgldm32.exe

Filesize
94KB

MD5
9ced055f81ed10c0671491a3ae9beec6

SHA1
4f9cf5d9ab66936a9b6a0fe16fa0081651d286f2

SHA256
acbf7e45b9beb5221e1dc9037ca5e5a928b7e38014568a9bda80d11b18e692f9

SHA512
a407837b453128ebdc98d2170c545b16399047fbe56d0e23f2d1523d57c32d8ab2a5166569f3bd682beb189d0e61dc730d9c2ff984af5aa8dccdb25290866cf3

Download Submit
C:\Windows\SysWOW64\Dmmbge32.exe

Filesize
94KB

MD5
b7c4fa87a1c4848089d352ee793a0f61

SHA1
4e0f5733ef6d5d537f98a4b35de6a80ccd473095

SHA256
148f2525bd4fd5020214dd9d178af283040a1c47be3325d7f6ad52e40f9e885b

SHA512
a3dd84861049226497a6c8bddcecfb7ce889f6e955e182fe43ceb97b4b91af0e1ec30127df102ea3e4b3e989ab8878a4851bbdd62d32cacbcf1e144bc476a6db

Download Submit
C:\Windows\SysWOW64\Donojm32.exe

Filesize
94KB

MD5
44fee4e065d1afe594d0cc1a3002747e

SHA1
264f738dadc9a40bcf94fe16ae5c9d96445b2ab1

SHA256
fd3ae046b8cd0e5a423659b9dee7378e7184c479cf470564aee1a202df2e45e9

SHA512
282b2369565bfbcd33d05d1120df2446b8ba46a24c0b1bb7ff6a2d535988aea57863fe2267a011d0a90e2d71e1c524db58a899c6af7c7577c97326165e12bb51

Download Submit
C:\Windows\SysWOW64\Ebappk32.exe

Filesize
94KB

MD5
2dd64ad3e2abca3ac0cb868ebee2c76e

SHA1
61a144f5971dfd18bf2de61c24a7feaa1f04bb00

SHA256
6594febad48ff3aef5029181c0b1858eb869f17afbba2a38a19260d7c57b2bf4

SHA512
36f31eb81a31dfcd4814994f7a565a7994f80d00f392a0ee51a22d78ecd10fe97fa2a108069d37cce6dfb9872a64b292b93d42a7b813527e078162e6d65c41df

Download Submit
C:\Windows\SysWOW64\Efffpjmk.exe

Filesize
94KB

MD5
5156012425b4d5eeee3872fd3096bf2e

SHA1
498172a504cf5fd9cbec3ca61c636855ae5af5ae

SHA256
fc5907e3888b0e8eb73db105f10ca779e96e7ca57eb93239c3cb0c9e1303aa8d

SHA512
74fe3778314f9f206b2b8dfb5dc183d46df6c35b0f6c46ab4d5aed6ab273f83d329f163a33cde2814d76761dd28eb25fc20505f1d20fd9bf715b9766fa7340e2

Download Submit
C:\Windows\SysWOW64\Egpena32.exe

Filesize
94KB

MD5
51f01d6f12a345d6f2c5e634136b8a73

SHA1
d7d72c1fdb8edefe571c435b85bff0859266de6b

SHA256
12bf42135a36440b8cea743844e340360239f07004fd30bb449bb14625c73d10

SHA512
0505cef5340706c3ad51cce25c2584549375d3af3750f8f1772518b7dfc38c9d39b49a959b1347504976cdf9e65a02d1af197cc7fe91693b2ccc3631e9e90fc1

Download Submit
C:\Windows\SysWOW64\Ejcofica.exe

Filesize
94KB

MD5
fee5fa4ba43951425e9e3ada4230f952

SHA1
3c2a197ce09b4d6768c35c94b2254f156d509fb8

SHA256
458732709f643894ce63903973ad0398b02ba359a6f9e3a3942551c819ade685

SHA512
712459025a3205861a641394be1bf2ee05136080168458c74ef0af972e1236fd39dad76121dec5c502f77a4539e3d31168f65f2d97c6484f3818e1aed0272438

Download Submit
C:\Windows\SysWOW64\Ekghcq32.exe

Filesize
94KB

MD5
4cd9defc9e7a6c0738b68b8ef0fdc5ee

SHA1
4de2454bc7d14f7c39e7a2ef1a7760a7c4025afb

SHA256
94373e1f54b71f5152f96c96cd8a29e2a11dd0653d9961c4088eb3e95c0a26a3

SHA512
99f1a3012b309f29aad085be0140711e87866f68a25148d5ddace9fe14e97a82c935a4f3b8d2bac03e931bb8af0cff961e8cbb41493d45c745ac3d834d253873

Download Submit
C:\Windows\SysWOW64\Enhaeldn.exe

Filesize
94KB

MD5
9f346a6d02d9b4020c6a5e74a73693cb

SHA1
bf1da04d65cfd2d2d550f51d6ff770e193ee08a4

SHA256
ed120dd7a1f9f63fb60daf77537f0d411df0988dc5150595046944ff8168f503

SHA512
2d39c9b56602e77acf657537610faaaf457777a0ee660e627ab2d284e6c5cb8c711d66ead2359812e9d05b8dd2cd2658a04b15293dd86d63c0eb0c99eacab0aa

Download Submit
C:\Windows\SysWOW64\Epqgopbi.exe

Filesize
94KB

MD5
985cedaad3b0682110e06e9b2b60dc71

SHA1
e747fbedca1fb59d61d5fe3b2902cefc8b9993f7

SHA256
541edfba9268f60f8e5dd8ea3a29e49ca6caae0956608b972159377531196251

SHA512
510e4f8856e3c792307836ace35c2bc3008d276ef4b34a9254d2d6e285c204b123ae23bf78fb28e6947242467bb28285da43d1ee894c24c32a2f8ebb24d97d20

Download Submit
C:\Windows\SysWOW64\Eqkjmcmq.exe

Filesize
94KB

MD5
893254b9532d584209444e80be8cade9

SHA1
ea07d96b2dc58e6eeeccab35405d868ca1e0ea79

SHA256
ef933728d1f96ee5fbc95a2c16f8c56b5a07916b902ac7f4a972a1266e3d15a0

SHA512
7343fc59104b3bdac11960cffa6729a0567ea2fb000a18d430628b8a18d5d9be7ebe7a4d2005f0512c27968a10702f66992b2734f86bec1f4be31a8c8dd8627c

Download Submit
C:\Windows\SysWOW64\Fbfjkj32.exe

Filesize
94KB

MD5
e2860f343220475397bc84419fa9ed4e

SHA1
2be1e8aa3c27c87cf34a1279a771baff3fef2201

SHA256
331f4f36524207784aa18480961ceb688cf5e879ab6df659c811c9e9a8dff804

SHA512
0df786f6180348c8e179e4779ada10681643c6ed730e638e67e9e0d8e90b110742a716bfb2bcc7624ee7c9ce46d7a42c182c1b822018cca4ee915109f25724d3

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
94KB

MD5
2e6b7d1df8da950ba35580c87ceee89a

SHA1
73bd8bf16b9720cc8b6249e2fa0ea8fd1c0695b9

SHA256
58d3ad4b329837e184e7abac14c68243e3a2097efc2f280d2eb0ee6b511e3de8

SHA512
ed8fd9300baf5ae93a44c0a2d028da3eab7f0519e0e352fd2b1f1d73a9e4d9901d17776daae6a8b6b6743955bcc46f833d6ad30832f45cc459ac79407e47989c

Download Submit
C:\Windows\SysWOW64\Ifengpdh.exe

Filesize
94KB

MD5
0f7a8730317b296c9ceb7aee671814f6

SHA1
1c6e5dc861af0ee8658741f9bffc391a36c1287f

SHA256
1dd3593f48ca6eae121bcba1f556e2c150b4574ec0602ba1d8afe3d10f435b8d

SHA512
a4b749a4d33f272e384ee1be9c0f061db054f2824887cae836f8b66bd6d9f83aad16662ba0b43c9645615cd239f5a9364974e6e2ff925ac544c275d9c45ffdcf

Download Submit
C:\Windows\SysWOW64\Jecnnk32.exe

Filesize
94KB

MD5
790fbca9a4c395ddc151b5a8f65b01dc

SHA1
8945da7b921d02968c371a7268b506c832122fbc

SHA256
ed1fc3843c62e59757ff8ffdce7acbf475e4a1e831006580f891a7b786680496

SHA512
cd2176f45f17d81287e6cbf87fa70e0d6b4f6c18953725bfd304195100e2daace4f656e0571b776f8c725f70f96301d5c2ff6ad81dc37848051cb50d41c049f2

Download Submit
C:\Windows\SysWOW64\Kppldhla.exe

Filesize
94KB

MD5
f94204ec463f72077e86862f1e16d223

SHA1
ebb232917e23f1602c8283b49df56d369a5b676c

SHA256
00557a3fed3005bc2d38c13d86cf7b6648dedb984fe18d7d18d4d7a6d2ba63db

SHA512
c4067ec90a71f78adad6d7678931de11268faa69c433c6a0e5f2fdaccfe901f53138afea5a545331763c5be44e2b201c55f67b01a751870846d471ae4356e2ad

Download Submit
C:\Windows\SysWOW64\Llpoohik.exe

Filesize
94KB

MD5
01d7a35cf50d1d206597f56e7d4fc53b

SHA1
08d0fde060962b7036a6db0d8cc78da3d141b96b

SHA256
b360a631449b0641c415b14f08bedacf46cb89cb8dcf56298d6cc802ee56b85d

SHA512
6926c7fa2c8bfe61ace8210cb3ab7982e659adb749ba307ed6ff5892535877f21b7e0859c01a1d8a8ca69dddccee68467bed47fbd58dc9c1cd9522afcb6b493f

Download Submit
C:\Windows\SysWOW64\Lophacfl.exe

Filesize
94KB

MD5
726160dc31b40adf20cf034ef1613d3d

SHA1
cd933d491c1461ff3bc75fb8392d730f226b324d

SHA256
91626f1a1d1a75a0a79774b556c45114fbac68fc53998d3697eb01bde9294f13

SHA512
fdc685d354a913d7c2ce2c196cd208b9f44f98cb0473dd89dcd1852bab17870711ed5c7ad6e088813c86263199008d5470db80b11164713d13d697bdbfc1c6bd

Download Submit
C:\Windows\SysWOW64\Mbiajn32.dll

Filesize
7KB

MD5
5473f78920b699f491e29c6d44201d80

SHA1
b8791b91121162c4cd2ee4d78f8221ddeda72a46

SHA256
bd67c806ed47e38d4e05685dd55f708f1203079cf71ee4d17a0fed4cb416d1d8

SHA512
7a7bdd795846118dacd694463519d861a9c5d96e3a053d6d6be79c9491426a56f13d48e8f1315c9671b0cd794cbfb03f30e68ee7a03cf8e5a7e1586493ec0a47

Download Submit
C:\Windows\SysWOW64\Mdojnm32.exe

Filesize
94KB

MD5
4a7430771d080f294632fd91e2a6eb2a

SHA1
7b92356c08dbdb081bee4aab079d75b23c7a8e00

SHA256
a1733ddf0162d18a224bc851e5059b53d987bdc315ef460bb54cc22c75558af7

SHA512
71db99eee2fc9daeb7b957142230b71f70ec8becac64701bd87c3ce490e31ff9cacc6d5b5e040626b81ea5dac8bbde282883a4761143c9170d06652d66d1a96f

Download Submit
C:\Windows\SysWOW64\Mehpga32.exe

Filesize
94KB

MD5
4309abb420f97af037d198466f948a50

SHA1
2c98a2775871343e40b7dc9006ea2e8ceddb73ee

SHA256
c508e185d5468bda0934e376249cb3b1cedaa3917974f7c38b191ad4935d0308

SHA512
1681a22a7ee457355e258b230e0fb0fb26caf06a396ff42674062856f6c589a1c6a2acc505762b03626a8096e439828a0965235232c9d53de86366a0acbe16d1

Download Submit
C:\Windows\SysWOW64\Mldeik32.exe

Filesize
94KB

MD5
166cf4b3c45a50882366f3cb9b9d242a

SHA1
43849dce0e2666454527107f38c35135c26cc983

SHA256
f366b358028c29fc22ba30441a624f634c0e20ecaff02ed1d457f321f0a041e9

SHA512
a28134b3b73f598424e49c4d6ac45c92198eaa54ce55cae2ffa36fb11536222c76922458491553172063bbcdf7a41eb82177d4066e4131858ae42786d82eb1f1

Download Submit
C:\Windows\SysWOW64\Mlolnllf.exe

Filesize
94KB

MD5
7a33808c46722db29079aa6858eba95b

SHA1
e6bc6b31e49e55a2053f4fa77ae7fffefe171136

SHA256
39643eba23dd3632fdaf8dc7af548864c958720274c4becb1646155c656bf3fe

SHA512
360824504bcd87890a3c4bc5dbb29741d31f0b6a86b366c88e5e4b94b73e927c1e454ce77b17da495cdc365540cf24d94ee2902b2c7ea8ce5a3a51ee9d92c1ec

Download Submit
C:\Windows\SysWOW64\Ncnjeh32.exe

Filesize
94KB

MD5
807e78e8e65d6c5047b38358bbc433d7

SHA1
364972754bb5a6ae88910b2d8d23889ea02762bf

SHA256
a383c3709eb5fcc2264662180be0335e927215383c38fc06b50182c6d080c90c

SHA512
1871fc30b172134a28c4b893100ed97812220e4cf801d9918817c3c977b808f0bf5092cd0517d252adc62859e0ce20f8346e48559b8aabb0da0527722032c7b9

Download Submit
C:\Windows\SysWOW64\Ndafcmci.exe

Filesize
94KB

MD5
9006286928d5a736e68f05a97182c506

SHA1
32f7fe92641f676f70b078abd42807c602214220

SHA256
df5579052bf75722b1d6c2e1c9c3a3513b6223f020babe03158f4d7a0392dd2d

SHA512
b8fe3413d550ce93edf8cf5a32291f6fe76e914912f6fac4011531962eac7d2b625ba5f2fce24acbb1bb57150f0a592bc83107e44c309941412f64a7ac8b2dad

Download Submit
C:\Windows\SysWOW64\Ndfpnl32.exe

Filesize
94KB

MD5
7f5e1bd1d67c1c11af5db77ae60f3325

SHA1
a1bccc95dc98dc2197ca50029ce1fdea96776e4f

SHA256
cab085b3c0626ba314fc784f2102df31bb92005af66acf46c5f1552e11f21d3b

SHA512
35f9511690b972b2c5b28aa0570525f0bdfdd73066e901285828e54df435b502a5c54f466c748f9bd839bb8f2283ef1a716b35e9d5477654e6dc9b0c66f91026

Download Submit
C:\Windows\SysWOW64\Nhkbmo32.exe

Filesize
94KB

MD5
e443bde806e0c9fc826147ebb31c8287

SHA1
c340f0a562dd1ec85894538f88dd1c325f0b4366

SHA256
d6d2345cddaad7d726e3eadfb8580e83599e668f00980a1262c478ee343a098b

SHA512
797591db424fe2e95f92ee19e09805f02f90570febe367664262af39c9c00965f6b855b1f3609f37c8da0529dbaa1087e34da3177b56eac2c0004aa1cf6a2fe6

Download Submit
C:\Windows\SysWOW64\Nopaoj32.exe

Filesize
94KB

MD5
b825f1c9d549724f471becb79cc719db

SHA1
ec0cde2bec2ea04ffead01d86d7900e32a8686ce

SHA256
3c46ef9b8c1d15d1824427bac86d4bde87a9fe84c20657b7fe40bbf73260de00

SHA512
3242410fd064506264fa50ef9592545233f0c21ba185d246e55aadc38cb3a17273c36dc9f778c5eb62195712b4349f6634f4226dbb4a210e22e00b8e664dbb66

Download Submit
C:\Windows\SysWOW64\Nphghn32.exe

Filesize
94KB

MD5
e633c237541f79f01f3806fc60d12753

SHA1
d15436f3119014df49fff8a996946981031efb57

SHA256
70fd387c5aa4b61b47dd6833c3bad04e36b07f100121800f9db49e060b7db1fa

SHA512
e0d936d77c94c9c514186a369c60960a545a8578afaceaa2cecde7cddea0799b218b864a5b00781cf63de0e34e761b4dfc56b76d45d9ca13fd4e5065b2810e3d

Download Submit
C:\Windows\SysWOW64\Obcffefa.exe

Filesize
94KB

MD5
2765a2d38e7c5c5bbf3aca41513d139b

SHA1
b1b73ec6eba4fd480884f57924f3f6eea84801b1

SHA256
42baa80e2be16e2198ee9205e3552448988c00011ca0eddbfa3588aa8e46e8e6

SHA512
f57297175b39df30a5be44ceb96ef6b7d28892edcffb6e153602926e47403e1724280950bb9bb4b778f5f4bf56edb983f17958fb8d6777fb9186f1fd041ebefc

Download Submit
C:\Windows\SysWOW64\Oiahnnji.exe

Filesize
94KB

MD5
8039a6fde89f35863323c08800f69c41

SHA1
f3bb4bb0ca818db3349c4936a95a1e89432b9e27

SHA256
706c7d00160f674e689e00b4ec1acab0fed83df13251c891ee84859bda4baed8

SHA512
924660b8acbae30e3d8ff3ad44004476b7a668b9fe6dbd286c0d3a8b7b0eb97005baad3b702df3eddb885513cc49d4788a6f4a63b86b8197f5c24f9193a6a334

Download Submit
C:\Windows\SysWOW64\Onoqfehp.exe

Filesize
94KB

MD5
939fc4c22805ddc5281ac0b6a3caf918

SHA1
08a227fd5dd43d762878de979f58c1666f09f33c

SHA256
e868b78f09f8c150e6d383a3ed1157dfb50583835f7c6ed6aeaf06cb4c82b96a

SHA512
608deebff78f68ec3e3e5a28811b0a69761eb744c169d7ed7af0f28e0709268229aea91dd067301b1e4e4c472afaacdfdc60e760770ad70ed32df5292c49c731

Download Submit
C:\Windows\SysWOW64\Ooidei32.exe

Filesize
94KB

MD5
18e0acf067a09ee38faf815fdef0fbac

SHA1
f5805ffe4eced631fddd03af25b0293174d849c7

SHA256
d52b20a0c6d62828b70ebd13f803b167d35e7ff081ffb0050b1b01dfe2c1ff79

SHA512
39c47f85e6520269237a8d9e93d51ed9a68a827f84ff66cb65651791a3563e4d22fffe86810dea014159dd572de52807d1c8d2ddeeaca49f194a5f3132d427e9

Download Submit
C:\Windows\SysWOW64\Pcdldknm.exe

Filesize
94KB

MD5
f4527bb155252f8f02bb5fcd3c98d2bf

SHA1
44e908c722b820e267536c18d1baeaaf75462388

SHA256
a79c03ee2ce2c70e6b4e2396aa1352625b981d63934bc081bbe305c0ad915356

SHA512
867fd037fed870d8766f7a0d8fcf289006a7f53029b4c808492b1cb1bc1e00b538094eefd947b8a1c8718f61deca7a86eabf3fe6093a74c7e2aa32ca8ef82e23

Download Submit
C:\Windows\SysWOW64\Pcpbik32.exe

Filesize
94KB

MD5
ebf0510e79448c34c28033097a435b23

SHA1
cae606ee13ac0be30f445d25bd2cf0c1100f565f

SHA256
6b209a3171de3c59d986fedb97e2c179ea8f5432044d1e4ab88e37d0b495d789

SHA512
91a2877b3894941cea94e146d8d5f2618f8f4a806364661abd0200fa7ff55e0114a8d9a2e62bd780068b5625c5abfc6a01dc773c766a010d27fe9b949da9e71c

Download Submit
C:\Windows\SysWOW64\Pefhlcdk.exe

Filesize
94KB

MD5
2af7246c3e81f2118ce119b1b06e98ae

SHA1
813d3c9bdb2def7f89fb129c3cea81874db6083e

SHA256
0322f4cedcd9a8f88fd212f7a4d47d146d44f431f5e6fe9d896049a01b3be7e3

SHA512
a0012c23f8f99abfb87d086242893f65d20c1eaff5959e4c04c725c312730b8dc3e8b5ea745bd979fd4a6ad04ece1e19703caa17e530f8278d8e0e03e2730456

Download Submit
C:\Windows\SysWOW64\Pidaba32.exe

Filesize
94KB

MD5
bbadca2c378d4a7221816cdc6bdb5d4d

SHA1
981f6870b3e2e4697613c983f97053013790395d

SHA256
f05184bf8611943563e45e675d5e6e5aa6841a3017fd1f58f2d9cf8289a4f695

SHA512
3e5fa26e0504ab23f940841dea167f4e20fa19211df44ff7bca45f6c529e763b066f37944e0bb2604fd2bd2d6521f81e4ff4c04edb0752bc0274934d83657f9d

Download Submit
C:\Windows\SysWOW64\Pimkbbpi.exe

Filesize
94KB

MD5
24af2f891cd9429c75992fb476904b4b

SHA1
23b1c1323087cc602010bc84faed8f17aa111abf

SHA256
c4a4c80f7a7a9d73674dfd434bfaa45cc97b9b66c46e0957147fee952530884c

SHA512
0973a9b832451eab6468c2c6f19890ae52490bd11745254f33b35c0041bde9b94e223486db20e9852110db65c29618c39a3653687f8e7c58b580cdd8bf6480ef

Download Submit
C:\Windows\SysWOW64\Pjhnqfla.exe

Filesize
94KB

MD5
085518970b9aef947a9c2cd8dff5d1e9

SHA1
403c7e3971c6ea759d8b01e8f0d470147c7af8a1

SHA256
6ee1237cff66a39917d85f2a2baf3913e4933a95ca8755957067672740d43fad

SHA512
738a13cc639a3c969dab810a85ae98a2a93f8a3587216525022facc891163b79c71354eff0fb7c64815c824dbbde354ee7fae75035c97e7d6ec98f3c40b8dbf2

Download Submit
C:\Windows\SysWOW64\Qldjdlgb.exe

Filesize
94KB

MD5
75a66dd073d3db40f73914d05236342b

SHA1
03d913dcf4af3108dc37f464075bc40bff9c7c2e

SHA256
302e00f003807674e111afe32fd723e5c406e8e4e31e9320a55898480afe8478

SHA512
7ca44f2bdf5bc83c098d030e9f069f3f8f08dd06d26e5c30ad04f86c633e8c43c3979cdae74f6d0ca0f32b4af48949e8f6f3d4c793ed94d1969a316366d16b7e

Download Submit
\Windows\SysWOW64\Iqhfnifq.exe

Filesize
94KB

MD5
1ae10107eb76832af755ee17bfc1e027

SHA1
79c09f6b435baafed3f74d541be3a81ee449aac4

SHA256
56865faf53d15523ec6086fc2221a20b775a0fe45764fcdff750f5255dae21d6

SHA512
9202436e145015880270135f0fbec921e081aeb15a5fb99ad01b9d3b5be7320d988d9b20555f0e5f9d5b3728a943f6e6e27ad19ac02adee44efcc3bc4046b663

Download Submit
\Windows\SysWOW64\Jbnlaqhi.exe

Filesize
94KB

MD5
dbb52f8103241703e073202f4d5a8f23

SHA1
1dd891bf9e05240b87ec9fc877098f1fdcf705bd

SHA256
806ab9b065fe179231128859bd44c127a696e1944bded8d0b7651d17a3109ada

SHA512
42e54b8a858b46e68048813bb3e95dbc6b45c29af5fcda406a976425aaf7fe33dfb910806cafc7400f5d8d4f046647ea87b74b8db007d7089535ca5c7b2a8f54

Download Submit
\Windows\SysWOW64\Jeaahk32.exe

Filesize
94KB

MD5
d1ffe984543bc74716584e32cd3ac5e0

SHA1
ed0c20ec362a80fe62ffbeaf7b46ab95a9f609df

SHA256
8062f9abe3188fbc6a374d40cfae581a4d5e563b404663ccccbbfbcbfc2c2695

SHA512
b04e1e5554e477713baa5cd569c28e4a4989d9ce8448c2b13974792c6bd08884288bf9a03cf8f6d99d8b52859358f5c69012aa4646241e933596012f58305424

Download Submit
\Windows\SysWOW64\Jijacjnc.exe

Filesize
94KB

MD5
6adf4dade5a84182e24280517489159c

SHA1
d68cefbd0f66788f02c6e5ec2cd383926ef4bde3

SHA256
0da34df023348de87d396514a2450795faa4e37509301dc7c54831e3137e4456

SHA512
2249d490e3066a0a41596f177cdede7e60dc59ef91bab8fc999ecea5efea6b9c59382e073fa786d6d4ba57a9652ac2a7a5b8502c0fdad5abc7d357312e3051c6

Download Submit
\Windows\SysWOW64\Jpmooind.exe

Filesize
94KB

MD5
dc547431764eb806d0220697ba5216ee

SHA1
882072b4c92c78b42d7587c52ca51b18ff6f78b2

SHA256
ae120f54de774cd786a390b876c4b0f78245384a359f386cde4f23a0ac1dedc0

SHA512
d8668a36d39046733280511c75e335d054ad124ce4c72ba87e6cc94499f87196b8be4041f6658083a336adf7904e98d32ff4841a7165b2f87edcf9d6eee08298

Download Submit
\Windows\SysWOW64\Keoabo32.exe

Filesize
94KB

MD5
4757a8cf06793a338413d08a2ed6579a

SHA1
af1e3182d986af8585a59eb19c8b16a422914e80

SHA256
b323492c2b276478aa19274a4f35a16d7ec68fb210960350387b76a55186c037

SHA512
092e59b202f346c878bfe0bdb39e9e442ad917f8f4c9737185bdc68bb5d9a3c98519d4328e93e89e92076f729c238c427728daff02e93ea3909c96519c638eae

Download Submit
\Windows\SysWOW64\Klkfdi32.exe

Filesize
94KB

MD5
00b681f36f8a95310c05d5fa5cf20a5c

SHA1
d59a316a3eae739e827c89bad701fb4dfeb184e3

SHA256
0f1be85c866d222d505ebfa45cb307be2cdf0d16447cd874a57d3482640afc99

SHA512
ca5f96524dc31324e6390d6714edd02e92dac9e89b04ff90a452f115166a5b73b212e2f4857598c6875a7e6ae1b486fc5538a0672508af4da788fcfa1e247cf0

Download Submit
\Windows\SysWOW64\Lbgkfbbj.exe

Filesize
94KB

MD5
b4a7be1c7af83170cdd34ef7c0b33708

SHA1
ee2c89460b83d459298bb7bae41e993d89268265

SHA256
e082e16bd28e8f11a86bb3feab1c17d923673ad74be2a7753a8599ca82fc4b19

SHA512
b528f7ea47f16f3989eaebaee14ca333bb1e81aa97b3b4cdc7cfdc67e0f08f3f72bd6db7a905fb40d9f0f094bf5b72a6c96a31e22da9ffa64d07ff588d5f13da

Download Submit
\Windows\SysWOW64\Lgnjke32.exe

Filesize
94KB

MD5
6ec3b5f63dcab3fbd24e0f7b74468c62

SHA1
447d4702851f3a892bff6bd588fc875601a54577

SHA256
06e38812a931bc5950e66d8c4e9931c3354fb47ee3de0894f9b87018f0fc19a3

SHA512
9615a27825eb2babe7947efd1a5cdfc89dbdf4deca55bdc8b17e8576a92f5830bca32169dd0c8fb4e2d88613de611b0628aa699f08ee8f03e570793e2b38bd19

Download Submit
\Windows\SysWOW64\Lgpfpe32.exe

Filesize
94KB

MD5
b78070a5ef810c2e6cc0d585897e6343

SHA1
1419852a8397769c5b033d1454531c25e5836f60

SHA256
48481b656331881439f5462cb2fe2a2e43a3218a4254f70acdbff7c9f1301f52

SHA512
976573a87ff19e4b0e0c3fdbc3dcd5f8087b18b8fbbdd06f0b695b96680cd52ae1f23249c6429f6c48fbb6fd8ea992ec3ba62c7afb1bfb4c52a7838ab5c5c4e6

Download Submit
\Windows\SysWOW64\Lpdankjg.exe

Filesize
94KB

MD5
5fe9ba371b7ca116c9b14ad90fac4dfb

SHA1
8293d3eb6f37a56daee697a209332dab23bbfc9d

SHA256
65ffe012caced81df8f53462580c2a123d57f49a83a1fac6795fb7ea62158558

SHA512
15787057c6186206f69e63f3593843aa564a4540f3255846720190001b0c0f3616f9ddc4ed8c6a0949f42fff90923539db23522dc491a3dfddee86e700e9b003

Download Submit
memory/460-482-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/460-176-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/460-164-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/752-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/904-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/940-154-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/940-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1036-242-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1252-88-0x00000000001B0000-0x00000000001E5000-memory.dmp

Filesize
212KB

Download
memory/1252-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1252-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1308-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-295-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1316-294-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1316-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1396-489-0x00000000002B0000-0x00000000002E5000-memory.dmp

Filesize
212KB

Download
memory/1396-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1680-252-0x00000000003A0000-0x00000000003D5000-memory.dmp

Filesize
212KB

Download
memory/1680-246-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1796-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1796-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1800-94-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1800-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1864-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1864-500-0x00000000002C0000-0x00000000002F5000-memory.dmp

Filesize
212KB

Download
memory/2012-227-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2012-233-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2044-468-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2080-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2148-436-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2148-120-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2148-115-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2148-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2148-107-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2196-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2196-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2196-36-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2248-317-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2248-307-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2248-316-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2260-501-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2260-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2312-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2312-447-0x00000000002B0000-0x00000000002E5000-memory.dmp

Filesize
212KB

Download
memory/2312-134-0x00000000002B0000-0x00000000002E5000-memory.dmp

Filesize
212KB

Download
memory/2312-135-0x00000000002B0000-0x00000000002E5000-memory.dmp

Filesize
212KB

Download
memory/2312-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2316-422-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2316-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2324-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2416-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2416-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2416-62-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2428-469-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2428-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2432-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2484-345-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2484-12-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2484-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2484-339-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2484-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2484-11-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2512-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2512-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2528-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2528-306-0x0000000000230000-0x0000000000265000-memory.dmp

Filesize
212KB

Download
memory/2528-305-0x0000000000230000-0x0000000000265000-memory.dmp

Filesize
212KB

Download
memory/2580-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-284-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2584-283-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2584-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2596-265-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2596-261-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2624-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-372-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2724-324-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2724-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2724-328-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2748-351-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2748-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2772-337-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2792-361-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2792-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-26-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2828-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2828-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-464-0x00000000001B0000-0x00000000001E5000-memory.dmp

Filesize
212KB

Download
memory/2912-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-149-0x00000000001B0000-0x00000000001E5000-memory.dmp

Filesize
212KB

Download
memory/2940-384-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2960-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2960-383-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/3036-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3036-404-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads