berbew | 1e4fbacb97d92fb3b001e29df579770b96a0c59b8ff31dbffb1616f9411b27fa

Analysis

max time kernel
113s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e4fbacb97d92fb3b001e29df579770b96a0c59b8ff31dbffb1616f9411b27faN.exe
Size

64KB
MD5

4f6f7f3542b209f7fe8f04ee8c6faa70
SHA1

216c0f627df955fe3c42297678e763522a493bf9
SHA256

1e4fbacb97d92fb3b001e29df579770b96a0c59b8ff31dbffb1616f9411b27fa
SHA512

e75cedb4b315eb40e75d70b651836f532fbb4140e443ad6fd21444b07decef3652d96106ae488b6022d461bb36d4ee67447df4eb1ba85e3a73ea51f3e5d4b973
SSDEEP

1536:dA66REhg3+IUfuVbHADnhLbwnYYYYYYYYYYYYYYAYYYYYYZjYYYYYYx88N3b:+NREfuZA7V8+b

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajehnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmdin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jggoqimd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbclgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaeme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlnmel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkielpdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agihgp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqnjek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikqnlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jimdcqom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plpopddd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehcij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alageg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddbjhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmdbnnlj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpdkpiik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdkjdl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imggplgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Plpopddd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feddombd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcjilgdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cogfqe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgnjqe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icncgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daaenlng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agihgp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkcilc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcjilgdb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igqhpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keioca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1e4fbacb97d92fb3b001e29df579770b96a0c59b8ff31dbffb1616f9411b27faN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmmcpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feachqgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbgjgomc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogfqe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eihjolae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbgjgomc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edidqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eihjolae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebckmaec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdnjkh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcedad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnhgha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdhefpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cidddj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icncgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bddbjhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmmcpi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjcaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Injqmdki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjjaikoa.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2532	Pbgjgomc.exe
2688	Plpopddd.exe
2808	Pehcij32.exe
2868	Qldhkc32.exe
2616	Qkielpdf.exe
2596	Aphjjf32.exe
2240	Aiaoclgl.exe
2576	Alageg32.exe
1620	Ajehnk32.exe
2984	Agihgp32.exe
2632	Boemlbpk.exe
1988	Bjjaikoa.exe
2556	Bddbjhlp.exe
2520	Bgdkkc32.exe
3008	Bhdhefpc.exe
1468	Ckeqga32.exe
2040	Cfoaho32.exe
2004	Cogfqe32.exe
1552	Ciokijfd.exe
2132	Cbgobp32.exe
1132	Cmmcpi32.exe
2328	Cidddj32.exe
2344	Dblhmoio.exe
1480	Daaenlng.exe
556	Djjjga32.exe
1560	Dgnjqe32.exe
1948	Dhpgfeao.exe
2796	Edidqf32.exe
2824	Eifmimch.exe
2860	Eihjolae.exe
2788	Elgfkhpi.exe
2608	Ebckmaec.exe
2248	Eeagimdf.exe
664	Feddombd.exe
2272	Fkqlgc32.exe
2924	Fkcilc32.exe
2020	Fmdbnnlj.exe
1760	Fdnjkh32.exe
2068	Fpdkpiik.exe
1116	Feachqgb.exe
3016	Gcedad32.exe
844	Gcgqgd32.exe
948	Gdkjdl32.exe
904	Hnhgha32.exe
2432	Hmmdin32.exe
700	Hcjilgdb.exe
2540	Hjcaha32.exe
2148	Hqnjek32.exe
2320	Hbofmcij.exe
1572	Icncgf32.exe
2476	Imggplgm.exe
2748	Inhdgdmk.exe
3036	Igqhpj32.exe
2640	Injqmdki.exe
2672	Iknafhjb.exe
1456	Ibhicbao.exe
3000	Icifjk32.exe
460	Ikqnlh32.exe
1124	Jggoqimd.exe
2064	Jjfkmdlg.exe
2216	Jgjkfi32.exe
3056	Jikhnaao.exe
936	Jbclgf32.exe
288	Jimdcqom.exe

Loads dropped DLL 64 IoCs

pid	Process
2024	1e4fbacb97d92fb3b001e29df579770b96a0c59b8ff31dbffb1616f9411b27faN.exe
2024	1e4fbacb97d92fb3b001e29df579770b96a0c59b8ff31dbffb1616f9411b27faN.exe
2532	Pbgjgomc.exe
2532	Pbgjgomc.exe
2688	Plpopddd.exe
2688	Plpopddd.exe
2808	Pehcij32.exe
2808	Pehcij32.exe
2868	Qldhkc32.exe
2868	Qldhkc32.exe
2616	Qkielpdf.exe
2616	Qkielpdf.exe
2596	Aphjjf32.exe
2596	Aphjjf32.exe
2240	Aiaoclgl.exe
2240	Aiaoclgl.exe
2576	Alageg32.exe
2576	Alageg32.exe
1620	Ajehnk32.exe
1620	Ajehnk32.exe
2984	Agihgp32.exe
2984	Agihgp32.exe
2632	Boemlbpk.exe
2632	Boemlbpk.exe
1988	Bjjaikoa.exe
1988	Bjjaikoa.exe
2556	Bddbjhlp.exe
2556	Bddbjhlp.exe
2520	Bgdkkc32.exe
2520	Bgdkkc32.exe
3008	Bhdhefpc.exe
3008	Bhdhefpc.exe
1468	Ckeqga32.exe
1468	Ckeqga32.exe
2040	Cfoaho32.exe
2040	Cfoaho32.exe
2004	Cogfqe32.exe
2004	Cogfqe32.exe
1552	Ciokijfd.exe
1552	Ciokijfd.exe
2132	Cbgobp32.exe
2132	Cbgobp32.exe
1132	Cmmcpi32.exe
1132	Cmmcpi32.exe
2328	Cidddj32.exe
2328	Cidddj32.exe
2344	Dblhmoio.exe
2344	Dblhmoio.exe
1480	Daaenlng.exe
1480	Daaenlng.exe
556	Djjjga32.exe
556	Djjjga32.exe
1560	Dgnjqe32.exe
1560	Dgnjqe32.exe
1948	Dhpgfeao.exe
1948	Dhpgfeao.exe
2796	Edidqf32.exe
2796	Edidqf32.exe
2824	Eifmimch.exe
2824	Eifmimch.exe
2860	Eihjolae.exe
2860	Eihjolae.exe
2788	Elgfkhpi.exe
2788	Elgfkhpi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Ikdngobg.dll	Fkcilc32.exe
File created	C:\Windows\SysWOW64\Ikqnlh32.exe	Icifjk32.exe
File created	C:\Windows\SysWOW64\Hbofmcij.exe	Hqnjek32.exe
File created	C:\Windows\SysWOW64\Jikhnaao.exe	Jgjkfi32.exe
File created	C:\Windows\SysWOW64\Miglefjd.dll	Bjjaikoa.exe
File created	C:\Windows\SysWOW64\Hcjilgdb.exe	Hmmdin32.exe
File created	C:\Windows\SysWOW64\Ahemgiea.dll	Elgfkhpi.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kfaalh32.exe
File opened for modification	C:\Windows\SysWOW64\Inhdgdmk.exe	Imggplgm.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kdeaelok.exe
File opened for modification	C:\Windows\SysWOW64\Ajehnk32.exe	Alageg32.exe
File opened for modification	C:\Windows\SysWOW64\Hqnjek32.exe	Hjcaha32.exe
File opened for modification	C:\Windows\SysWOW64\Qkielpdf.exe	Qldhkc32.exe
File created	C:\Windows\SysWOW64\Feddombd.exe	Eeagimdf.exe
File created	C:\Windows\SysWOW64\Feachqgb.exe	Fpdkpiik.exe
File opened for modification	C:\Windows\SysWOW64\Feachqgb.exe	Fpdkpiik.exe
File created	C:\Windows\SysWOW64\Heloek32.dll	Cogfqe32.exe
File created	C:\Windows\SysWOW64\Fmdbnnlj.exe	Fkcilc32.exe
File opened for modification	C:\Windows\SysWOW64\Jggoqimd.exe	Ikqnlh32.exe
File created	C:\Windows\SysWOW64\Daaenlng.exe	Dblhmoio.exe
File created	C:\Windows\SysWOW64\Eogffk32.dll	Hcjilgdb.exe
File created	C:\Windows\SysWOW64\Elgfkhpi.exe	Eihjolae.exe
File created	C:\Windows\SysWOW64\Mbbhfl32.dll	Kfaalh32.exe
File opened for modification	C:\Windows\SysWOW64\Icncgf32.exe	Hbofmcij.exe
File created	C:\Windows\SysWOW64\Kenhopmf.exe	Kjhcag32.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Kenhopmf.exe
File opened for modification	C:\Windows\SysWOW64\Qldhkc32.exe	Pehcij32.exe
File opened for modification	C:\Windows\SysWOW64\Dblhmoio.exe	Cidddj32.exe
File created	C:\Windows\SysWOW64\Egnpaigk.dll	Pbgjgomc.exe
File created	C:\Windows\SysWOW64\Npneccok.dll	Iknafhjb.exe
File created	C:\Windows\SysWOW64\Cbgobp32.exe	Ciokijfd.exe
File opened for modification	C:\Windows\SysWOW64\Feddombd.exe	Eeagimdf.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Llpfjomf.exe
File opened for modification	C:\Windows\SysWOW64\Bjjaikoa.exe	Boemlbpk.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Kenhopmf.exe
File created	C:\Windows\SysWOW64\Mobafhlg.dll	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Oecfeg32.dll	Ajehnk32.exe
File created	C:\Windows\SysWOW64\Ehfenf32.dll	Bhdhefpc.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Qldhkc32.exe	Pehcij32.exe
File created	C:\Windows\SysWOW64\Ljdpbj32.dll	Feddombd.exe
File created	C:\Windows\SysWOW64\Aonalffc.dll	Hbofmcij.exe
File opened for modification	C:\Windows\SysWOW64\Igqhpj32.exe	Inhdgdmk.exe
File created	C:\Windows\SysWOW64\Ibhicbao.exe	Iknafhjb.exe
File opened for modification	C:\Windows\SysWOW64\Icifjk32.exe	Ibhicbao.exe
File opened for modification	C:\Windows\SysWOW64\Agihgp32.exe	Ajehnk32.exe
File created	C:\Windows\SysWOW64\Lkjcap32.dll	Hmmdin32.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Qkielpdf.exe	Qldhkc32.exe
File created	C:\Windows\SysWOW64\Ogbogkjn.dll	Inhdgdmk.exe
File created	C:\Windows\SysWOW64\Jcnllk32.dll	Dhpgfeao.exe
File created	C:\Windows\SysWOW64\Pgejcl32.dll	Hnhgha32.exe
File opened for modification	C:\Windows\SysWOW64\Ciokijfd.exe	Cogfqe32.exe
File opened for modification	C:\Windows\SysWOW64\Eeagimdf.exe	Ebckmaec.exe
File opened for modification	C:\Windows\SysWOW64\Fkqlgc32.exe	Feddombd.exe
File created	C:\Windows\SysWOW64\Jbclgf32.exe	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Ijjnkj32.dll	Kapohbfp.exe
File created	C:\Windows\SysWOW64\Ajehnk32.exe	Alageg32.exe
File created	C:\Windows\SysWOW64\Aligmfnp.dll	Alageg32.exe
File created	C:\Windows\SysWOW64\Gpcafifg.dll	Khjgel32.exe
File opened for modification	C:\Windows\SysWOW64\Jlnmel32.exe	Jipaip32.exe
File created	C:\Windows\SysWOW64\Keioca32.exe	Kbjbge32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2012	932	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdkkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cidddj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daaenlng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icncgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphjjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogfqe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjcaha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaeme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajehnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edidqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alageg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dblhmoio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djjjga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnhgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikhnaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boemlbpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqnjek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igqhpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjfkmdlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keioca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qldhkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdhefpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgobp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injqmdki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmdbnnlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iknafhjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jggoqimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpfjomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plpopddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjjaikoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Feachqgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbofmcij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibhicbao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhebfck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapohbfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e4fbacb97d92fb3b001e29df579770b96a0c59b8ff31dbffb1616f9411b27faN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmmcpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkqlgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmmdin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inhdgdmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcjilgdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jipaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agihgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckeqga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eeagimdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpdkpiik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcedad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlnmel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehcij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elgfkhpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdkjdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icifjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjeglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkielpdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciokijfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgnjqe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhpgfeao.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qldhkc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bddbjhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhpgfeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbbdb.dll"	Jjfkmdlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aiaoclgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahemgiea.dll"	Elgfkhpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iknafhjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kejjjbbm.dll"	1e4fbacb97d92fb3b001e29df579770b96a0c59b8ff31dbffb1616f9411b27faN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Feddombd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljdpbj32.dll"	Feddombd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjcaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aiaoclgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgdkkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfdih32.dll"	Ckeqga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbgobp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nidjhoea.dll"	Fkqlgc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aligmfnp.dll"	Alageg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmd32.dll"	Eifmimch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebckmaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgikm32.dll"	Ebckmaec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonalffc.dll"	Hbofmcij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcgqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdkjdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbgjgomc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daaenlng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojacgdmh.dll"	Gcedad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajehnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Plpopddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjleia32.dll"	Fdnjkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpdkpiik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hqnjek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibhicbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icifjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miglefjd.dll"	Bjjaikoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhafee.dll"	Ibhicbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmeedp32.dll"	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oecfeg32.dll"	Ajehnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agihgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckeqga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eeagimdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilalae32.dll"	Eeagimdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbofmcij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boemlbpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hqnjek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agihgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckeqga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhpgfeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnebcm32.dll"	Fmdbnnlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdnjkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgejcl32.dll"	Hnhgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icncgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dblhmoio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkielpdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2532	2024	1e4fbacb97d92fb3b001e29df579770b96a0c59b8ff31dbffb1616f9411b27faN.exe	31
PID 2024 wrote to memory of 2532	2024	1e4fbacb97d92fb3b001e29df579770b96a0c59b8ff31dbffb1616f9411b27faN.exe	31
PID 2024 wrote to memory of 2532	2024	1e4fbacb97d92fb3b001e29df579770b96a0c59b8ff31dbffb1616f9411b27faN.exe	31
PID 2024 wrote to memory of 2532	2024	1e4fbacb97d92fb3b001e29df579770b96a0c59b8ff31dbffb1616f9411b27faN.exe	31
PID 2532 wrote to memory of 2688	2532	Pbgjgomc.exe	32
PID 2532 wrote to memory of 2688	2532	Pbgjgomc.exe	32
PID 2532 wrote to memory of 2688	2532	Pbgjgomc.exe	32
PID 2532 wrote to memory of 2688	2532	Pbgjgomc.exe	32
PID 2688 wrote to memory of 2808	2688	Plpopddd.exe	33
PID 2688 wrote to memory of 2808	2688	Plpopddd.exe	33
PID 2688 wrote to memory of 2808	2688	Plpopddd.exe	33
PID 2688 wrote to memory of 2808	2688	Plpopddd.exe	33
PID 2808 wrote to memory of 2868	2808	Pehcij32.exe	34
PID 2808 wrote to memory of 2868	2808	Pehcij32.exe	34
PID 2808 wrote to memory of 2868	2808	Pehcij32.exe	34
PID 2808 wrote to memory of 2868	2808	Pehcij32.exe	34
PID 2868 wrote to memory of 2616	2868	Qldhkc32.exe	35
PID 2868 wrote to memory of 2616	2868	Qldhkc32.exe	35
PID 2868 wrote to memory of 2616	2868	Qldhkc32.exe	35
PID 2868 wrote to memory of 2616	2868	Qldhkc32.exe	35
PID 2616 wrote to memory of 2596	2616	Qkielpdf.exe	36
PID 2616 wrote to memory of 2596	2616	Qkielpdf.exe	36
PID 2616 wrote to memory of 2596	2616	Qkielpdf.exe	36
PID 2616 wrote to memory of 2596	2616	Qkielpdf.exe	36
PID 2596 wrote to memory of 2240	2596	Aphjjf32.exe	37
PID 2596 wrote to memory of 2240	2596	Aphjjf32.exe	37
PID 2596 wrote to memory of 2240	2596	Aphjjf32.exe	37
PID 2596 wrote to memory of 2240	2596	Aphjjf32.exe	37
PID 2240 wrote to memory of 2576	2240	Aiaoclgl.exe	38
PID 2240 wrote to memory of 2576	2240	Aiaoclgl.exe	38
PID 2240 wrote to memory of 2576	2240	Aiaoclgl.exe	38
PID 2240 wrote to memory of 2576	2240	Aiaoclgl.exe	38
PID 2576 wrote to memory of 1620	2576	Alageg32.exe	39
PID 2576 wrote to memory of 1620	2576	Alageg32.exe	39
PID 2576 wrote to memory of 1620	2576	Alageg32.exe	39
PID 2576 wrote to memory of 1620	2576	Alageg32.exe	39
PID 1620 wrote to memory of 2984	1620	Ajehnk32.exe	40
PID 1620 wrote to memory of 2984	1620	Ajehnk32.exe	40
PID 1620 wrote to memory of 2984	1620	Ajehnk32.exe	40
PID 1620 wrote to memory of 2984	1620	Ajehnk32.exe	40
PID 2984 wrote to memory of 2632	2984	Agihgp32.exe	41
PID 2984 wrote to memory of 2632	2984	Agihgp32.exe	41
PID 2984 wrote to memory of 2632	2984	Agihgp32.exe	41
PID 2984 wrote to memory of 2632	2984	Agihgp32.exe	41
PID 2632 wrote to memory of 1988	2632	Boemlbpk.exe	42
PID 2632 wrote to memory of 1988	2632	Boemlbpk.exe	42
PID 2632 wrote to memory of 1988	2632	Boemlbpk.exe	42
PID 2632 wrote to memory of 1988	2632	Boemlbpk.exe	42
PID 1988 wrote to memory of 2556	1988	Bjjaikoa.exe	43
PID 1988 wrote to memory of 2556	1988	Bjjaikoa.exe	43
PID 1988 wrote to memory of 2556	1988	Bjjaikoa.exe	43
PID 1988 wrote to memory of 2556	1988	Bjjaikoa.exe	43
PID 2556 wrote to memory of 2520	2556	Bddbjhlp.exe	44
PID 2556 wrote to memory of 2520	2556	Bddbjhlp.exe	44
PID 2556 wrote to memory of 2520	2556	Bddbjhlp.exe	44
PID 2556 wrote to memory of 2520	2556	Bddbjhlp.exe	44
PID 2520 wrote to memory of 3008	2520	Bgdkkc32.exe	45
PID 2520 wrote to memory of 3008	2520	Bgdkkc32.exe	45
PID 2520 wrote to memory of 3008	2520	Bgdkkc32.exe	45
PID 2520 wrote to memory of 3008	2520	Bgdkkc32.exe	45
PID 3008 wrote to memory of 1468	3008	Bhdhefpc.exe	46
PID 3008 wrote to memory of 1468	3008	Bhdhefpc.exe	46
PID 3008 wrote to memory of 1468	3008	Bhdhefpc.exe	46
PID 3008 wrote to memory of 1468	3008	Bhdhefpc.exe	46

C:\Users\Admin\AppData\Local\Temp\1e4fbacb97d92fb3b001e29df579770b96a0c59b8ff31dbffb1616f9411b27faN.exe
"C:\Users\Admin\AppData\Local\Temp\1e4fbacb97d92fb3b001e29df579770b96a0c59b8ff31dbffb1616f9411b27faN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\Pbgjgomc.exe
  C:\Windows\system32\Pbgjgomc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\Plpopddd.exe
    C:\Windows\system32\Plpopddd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\Pehcij32.exe
      C:\Windows\system32\Pehcij32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\Qldhkc32.exe
        
        C:\Windows\system32\Qldhkc32.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\SysWOW64\Qkielpdf.exe
        
        C:\Windows\system32\Qkielpdf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Aphjjf32.exe
        
        C:\Windows\system32\Aphjjf32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Aiaoclgl.exe
        
        C:\Windows\system32\Aiaoclgl.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Alageg32.exe
        
        C:\Windows\system32\Alageg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Ajehnk32.exe
        
        C:\Windows\system32\Ajehnk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Agihgp32.exe
        
        C:\Windows\system32\Agihgp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Boemlbpk.exe
        
        C:\Windows\system32\Boemlbpk.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Bjjaikoa.exe
        
        C:\Windows\system32\Bjjaikoa.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Bddbjhlp.exe
        
        C:\Windows\system32\Bddbjhlp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Bgdkkc32.exe
        
        C:\Windows\system32\Bgdkkc32.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Bhdhefpc.exe
        
        C:\Windows\system32\Bhdhefpc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Ckeqga32.exe
        
        C:\Windows\system32\Ckeqga32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Cfoaho32.exe
        
        C:\Windows\system32\Cfoaho32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2040
        
        C:\Windows\SysWOW64\Cogfqe32.exe
        
        C:\Windows\system32\Cogfqe32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Ciokijfd.exe
        
        C:\Windows\system32\Ciokijfd.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\Cbgobp32.exe
        
        C:\Windows\system32\Cbgobp32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Cmmcpi32.exe
        
        C:\Windows\system32\Cmmcpi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Cidddj32.exe
        
        C:\Windows\system32\Cidddj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Dblhmoio.exe
        
        C:\Windows\system32\Dblhmoio.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Daaenlng.exe
        
        C:\Windows\system32\Daaenlng.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Djjjga32.exe
        
        C:\Windows\system32\Djjjga32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\Dgnjqe32.exe
        
        C:\Windows\system32\Dgnjqe32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Dhpgfeao.exe
        
        C:\Windows\system32\Dhpgfeao.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Edidqf32.exe
        
        C:\Windows\system32\Edidqf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Eifmimch.exe
        
        C:\Windows\system32\Eifmimch.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Eihjolae.exe
        
        C:\Windows\system32\Eihjolae.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Elgfkhpi.exe
        
        C:\Windows\system32\Elgfkhpi.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Ebckmaec.exe
        
        C:\Windows\system32\Ebckmaec.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Eeagimdf.exe
        
        C:\Windows\system32\Eeagimdf.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Feddombd.exe
        
        C:\Windows\system32\Feddombd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Fkqlgc32.exe
        
        C:\Windows\system32\Fkqlgc32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Fkcilc32.exe
        
        C:\Windows\system32\Fkcilc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Fmdbnnlj.exe
        
        C:\Windows\system32\Fmdbnnlj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Fdnjkh32.exe
        
        C:\Windows\system32\Fdnjkh32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Fpdkpiik.exe
        
        C:\Windows\system32\Fpdkpiik.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Feachqgb.exe
        
        C:\Windows\system32\Feachqgb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\Gcedad32.exe
        
        C:\Windows\system32\Gcedad32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Gcgqgd32.exe
        
        C:\Windows\system32\Gcgqgd32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\Gdkjdl32.exe
        
        C:\Windows\system32\Gdkjdl32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Hnhgha32.exe
        
        C:\Windows\system32\Hnhgha32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Hmmdin32.exe
        
        C:\Windows\system32\Hmmdin32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Hcjilgdb.exe
        
        C:\Windows\system32\Hcjilgdb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\Hjcaha32.exe
        
        C:\Windows\system32\Hjcaha32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Hqnjek32.exe
        
        C:\Windows\system32\Hqnjek32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Hbofmcij.exe
        
        C:\Windows\system32\Hbofmcij.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Icncgf32.exe
        
        C:\Windows\system32\Icncgf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Imggplgm.exe
        
        C:\Windows\system32\Imggplgm.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\Inhdgdmk.exe
        
        C:\Windows\system32\Inhdgdmk.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Igqhpj32.exe
        
        C:\Windows\system32\Igqhpj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Injqmdki.exe
        
        C:\Windows\system32\Injqmdki.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Iknafhjb.exe
        
        C:\Windows\system32\Iknafhjb.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Ibhicbao.exe
        
        C:\Windows\system32\Ibhicbao.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Icifjk32.exe
        
        C:\Windows\system32\Icifjk32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Ikqnlh32.exe
        
        C:\Windows\system32\Ikqnlh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\Jggoqimd.exe
        
        C:\Windows\system32\Jggoqimd.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\Jjfkmdlg.exe
        
        C:\Windows\system32\Jjfkmdlg.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Jgjkfi32.exe
        
        C:\Windows\system32\Jgjkfi32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Jikhnaao.exe
        
        C:\Windows\system32\Jikhnaao.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Jbclgf32.exe
        
        C:\Windows\system32\Jbclgf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\SysWOW64\Jimdcqom.exe
        
        C:\Windows\system32\Jimdcqom.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:288
        
        C:\Windows\SysWOW64\Jfaeme32.exe
        
        C:\Windows\system32\Jfaeme32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Jipaip32.exe
        
        C:\Windows\system32\Jipaip32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\Jlnmel32.exe
        
        C:\Windows\system32\Jlnmel32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\Jbhebfck.exe
        
        C:\Windows\system32\Jbhebfck.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Keioca32.exe
        
        C:\Windows\system32\Keioca32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\Kjeglh32.exe
        
        C:\Windows\system32\Kjeglh32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\Kapohbfp.exe
        
        C:\Windows\system32\Kapohbfp.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:576
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Kenhopmf.exe
        
        C:\Windows\system32\Kenhopmf.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Kfaalh32.exe
        
        C:\Windows\system32\Kfaalh32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Llpfjomf.exe
        
        C:\Windows\system32\Llpfjomf.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 140
        84⤵
        Program crash
        
        PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aiaoclgl.exe

Filesize
64KB

MD5
51fa58983e68c448c9ce93821d478e6d

SHA1
2f674b77ee05f2bde19f15cc0df85f44ba1dab30

SHA256
51ab022e1e1da43fe4f372da8b62bc72626e5876e4c41cdded29420903e208a3

SHA512
7a13c8237fec83ab879d183c4e6ec462bd10ec178d10a1bbffc5699bcdd880801328ca3bd7d4370da9da2ad4e395548174eb9e8d5226a4b4a2cb45e918ef06ce

Download Submit
C:\Windows\SysWOW64\Cbgobp32.exe

Filesize
64KB

MD5
65d89f05a71d41c837e02b504bc05acf

SHA1
09ef483521fc4c473fa1cab8fc43b65f379c6534

SHA256
a5f1b61bdb1ee2e9e4db9515fa9d0a6de92795ce17922ad2ba22432fd3d20d0a

SHA512
b54e69d52dfd3a161beb175870ccbaf35118de93cc7155e206be4975dabb59ebf9407bf8a922b0d2d9954a32dcf6aa5e1c94e67d8240cb0bb536dc6760d53cb5

Download Submit
C:\Windows\SysWOW64\Cfoaho32.exe

Filesize
64KB

MD5
d1c97bc663e2dff28eaf0e641bba9690

SHA1
4114d903cbecbf67bae134712b54a0eb0bd34733

SHA256
5d0c3a265fd107d9cc4ab22b47096717eee09fc55bcffdc3ed46345446824a6c

SHA512
f15aa2b5bc60b0b32f6b4d016234ed472b07865f0fe4bd2d8029948f9fdbf1470172ac142ea70ba977850959178b9758a1b117083901ff324af79998bd4f5ad2

Download Submit
C:\Windows\SysWOW64\Cidddj32.exe

Filesize
64KB

MD5
af996d434406ae86a871af8569a1d402

SHA1
104a1e6cacec40278ce939facb4370187c2a2485

SHA256
d18b45d644a5bb39fb35ac6614e6153f58ad424541c95a5e0d10a2a72ef24961

SHA512
b94a2c13b9930d4b01c04965142a2b74c791470c4c59d3edbbd50387717cde05ee228b84523ec4c3355cda0ce835ccd5c6e4c4e59152ec6e1eb5e46116c6c837

Download Submit
C:\Windows\SysWOW64\Ciokijfd.exe

Filesize
64KB

MD5
cb1ae66c523e3b81c2288375217926b5

SHA1
f572896c3f38b8a7178cac89703f6ed854ef4908

SHA256
19b6e8f3e4ef9f340453265dc6d0b05e948e7dcb0d410f8774afcf26ba66342a

SHA512
d106303742208bdd89254ca43f1f1328e15e7528baa22c6968491210b1facd58ad2c4c3e8be8519ee5386034dbb40e45171c59cfff9cdfcd4c9ac25bf9323ccc

Download Submit
C:\Windows\SysWOW64\Cmmcpi32.exe

Filesize
64KB

MD5
71a22b3e1091ce8892ec9b184c7604a5

SHA1
0ca3646a153678ff1c563769e11a5a248fd2b805

SHA256
ac944513ce48118dff942b17249985478d33aec36b4426dde67dcb401b5502d0

SHA512
260702983f25dd735b34fb521a1b1769cb351537e47bb3fc3ea370f27588218736512bba173aca476365bae310b4f45ff68ab838c7ca2f027779638864373bfd

Download Submit
C:\Windows\SysWOW64\Cogfqe32.exe

Filesize
64KB

MD5
25624baa36b39770024cd386354e5418

SHA1
6a44a60682ac48bd8d7822ba9c8369cc9723bce1

SHA256
634c3b806854f98993d6e95653cd894ad150bc15bc0bdd0464f10db6a3e4cfae

SHA512
4f33a892c3d7d9b7c46e8382751bfadd3732b183941bb22c37891099f4a924efade7f6cd7ef6c48b49c22a056bb1ffb3b1a3efcc968f47eb0fb16b6849f3e03b

Download Submit
C:\Windows\SysWOW64\Daaenlng.exe

Filesize
64KB

MD5
cbf9861631b5621220b543b715e182c0

SHA1
a0ed2e3c783656f4bd2942fb9ded65886b37b00a

SHA256
281d579b7b837cc1885ad897abf58cedc4dd352ccfab98458dbda6aac56dee61

SHA512
86ce93195b3b8ba1b7268f83d9e163573813eb304c30525b67963f85d378a0f466bbfad3a70e9334060d2c7552209ffece79d226d594c2c1dd74cd363cfa3a40

Download Submit
C:\Windows\SysWOW64\Dblhmoio.exe

Filesize
64KB

MD5
300630a136fa75332187a38506cf3f84

SHA1
940dfcde89bd35b240a98f68fb14bb03eedaee7d

SHA256
a049641ba14abeb1146540316dfffc952395b17acbf5a45e5ee74da50255fdbc

SHA512
7d3c5357921df25e0db1ed8ad3d73344894b8377c2d5a98685bdfc9f76fca749ed5e8c97140883a6c713074b941d34a52e054d98065e93e68b966faa64d08f26

Download Submit
C:\Windows\SysWOW64\Dgnjqe32.exe

Filesize
64KB

MD5
cd54240db080e79599b9b3a0651d338b

SHA1
a7cf5080a1d92711292ae5a2a510c83014ec9d8b

SHA256
f57ea5985f53d3eed4485451054bd79b5e9b541d0a82e1b5ab6acb8ec6750d59

SHA512
037a4ea54aa2aa72027f9577c35406a9e3d019ac26038b5e39ccd5f1724c15c5145b47db808c631f0938f62bc0dfff8bfe574a20b632440d05b5e22e7beda2e0

Download Submit
C:\Windows\SysWOW64\Dhpgfeao.exe

Filesize
64KB

MD5
1fdaa966f199218855302edf3e46d9e1

SHA1
a31c6a2d2ce16dc8d8578345bc0cd54d881ecc0f

SHA256
bbd44ffafe725145b4b7382cbaf28101966a8fdd542530f9e62de5e6e6e0d5d1

SHA512
a8b1fe092d82cc4a1078560cf029df086cfaf64fe0f89bc9587406da7ff1cb99bddf9327b735d0c0a437333b25c0dc647543528bcd7699705226f7ea870833bb

Download Submit
C:\Windows\SysWOW64\Djjjga32.exe

Filesize
64KB

MD5
617519844eedc5e9de9bd431917f0d0f

SHA1
a79d175bb01b53f09985b6a0175f1d1cb41c88af

SHA256
af26ac50bc5cd520eeb78322627b329bbb5891925863d68cb5d33798e5f9dd01

SHA512
46fa4d09614c37bae84abd33572c0a9201f4014f6870259bb2e2aae9fa1ab6c07fd851963974f961953dfc7e2d83ced207b572159430acf1864335eb963c3a41

Download Submit
C:\Windows\SysWOW64\Ebckmaec.exe

Filesize
64KB

MD5
60b0dc5f628a57769247e738e70d388e

SHA1
e1087857d42eddc31e7e77eaa470ee40c63761f6

SHA256
0344ce32b63a6ac644c5216c1dc137f63d72749a8b969a0e82e1a10d630f5d90

SHA512
ccb5e21a2e073feb7d181b60a9e10dd90eae71572486f8603495e654eb3c5f868c75066f5beb9af89bea4fbd52e5641ba97c2a1c305e8ccac763ed35107f3c5d

Download Submit
C:\Windows\SysWOW64\Edidqf32.exe

Filesize
64KB

MD5
cf89c1838a8c33d0340baa3aabd8a61e

SHA1
d2c5f6497e3faff248684ea2efc7a28bfabceaf4

SHA256
dffa36f7b5c912012d2a8f2a764811fedf6c891c3f997794b4ea1a1a39f7d306

SHA512
da05be9b3b65ce05f4c88e30d4deaef648347f14525c57adbd1955b4b48333924cc5a4b7f809424106904f7b57a4f9cc344696b7e665a92a3bf540dd26344287

Download Submit
C:\Windows\SysWOW64\Eeagimdf.exe

Filesize
64KB

MD5
f753f5c89246726b916107f64011f8ec

SHA1
f390684f75f75f1996f60a55e7d9e2b164525a2a

SHA256
b86cec7d84d5681d4afa724afa068afae276d0a362577f31b0e8e02d4fc0999b

SHA512
5470b48488deb35aff150f9baf552b16d1ad2eadd6fccd981b67c6a62ac8eff2f64406e08e7a856fecc1ccd55de0fc57885fa9e6c63f804b401ee18d1ab66a23

Download Submit
C:\Windows\SysWOW64\Eifmimch.exe

Filesize
64KB

MD5
3bebfa8e9df0f3642a3299e615a78e56

SHA1
b11633bc3f3b9264a39d0e2d947462b4b3d5afd5

SHA256
6e243f59e1f7c05673be4019d0fe5a766ca4f4a3d8881df7b3c6eaefcee757fe

SHA512
e2d298e447257639671d1f0e8663992cb2d91250f209e7bfab8b5168eed10a882a857a134eb3cbbe2883991e1e22b20e6f21389750e2c9fc1eda9f6c1747f6f6

Download Submit
C:\Windows\SysWOW64\Eihjolae.exe

Filesize
64KB

MD5
9554f0f7d72e844be89a4437daad35d6

SHA1
f66bc34c0ca163d4391e37fb043bf7024dfcc9dd

SHA256
6d54674d81292352c3f07177aba25c9ae3f8864f6cf85b1e6de491211b586709

SHA512
1a7ba5577abbaba966cb934b70162c40540be6c061a823e6278639925e9d4cb1e89d2385ce954efe64a1560ef7410589d302a41ab03e70161c7b507e29f0f7cc

Download Submit
C:\Windows\SysWOW64\Elgfkhpi.exe

Filesize
64KB

MD5
da5b6a85043729b576eb8bd0257c4560

SHA1
23d6820b408ffc6c3ca535d2da5c1c1f144090cd

SHA256
5e8ca1947af2c0f98dadfd645c2e222327a81b5bdca99db5967207cd0e56f9a6

SHA512
eb20134722bfdcf0e9c960705342ea3a0fe766d5a7171dcf07807fe0da39dd25e29066f18d77773370501673a27119b787795051db8dd6ed5a3ed5d7d32c1c9d

Download Submit
C:\Windows\SysWOW64\Fdnjkh32.exe

Filesize
64KB

MD5
bb18ffebf8729dc469dfe6d8a18ec5e8

SHA1
f6d3ce9812848e4f20f2e34d7273730637d03a98

SHA256
aefee108784ea2d04c110f290b6f55073b5da95ffe97a4688bbca46d78b0f141

SHA512
a1831df9e4fafe3cedb87b97db257858243aecbc1cb7d97b402508c907e196fe05ba1ddc612e92cc60dafb3322fffd3582fc1f918baa5a10aceae30b5c4c9f50

Download Submit
C:\Windows\SysWOW64\Feachqgb.exe

Filesize
64KB

MD5
69706543117a1e32df250af441ec4cc4

SHA1
d5e978db99a4968f4d291db50752f1e0abe06713

SHA256
d4b26fa1c258627d3830a95c836e2f315756b28ec9f9275ac58f0ae8a954ed8c

SHA512
1d669dc97b1009063bca83d9e4076983eb62742176222a16bbf8bfeaf67af20eddab595baf64e4797278aacb46be3d1d680edad395f998c9a261cbba0229d9b9

Download Submit
C:\Windows\SysWOW64\Feddombd.exe

Filesize
64KB

MD5
e8895069962b73f32da235c8e603521e

SHA1
9b0db76fd093f2509b824b98b57c6134f288fa2f

SHA256
17bb01600cd508d308a15b25272570829603644727785627c3adf9a845f136d3

SHA512
e2408ddbc438b8de2b7c8f1439cf3397f1e8bb780d5de520bb5c4b77ce20a6f404c24e556334d0757a4c6c06657f1c4d7d2c8da79add49efb9bb6b267e6d6021

Download Submit
C:\Windows\SysWOW64\Fkcilc32.exe

Filesize
64KB

MD5
9a6539555f8bfe4ee68502def775432b

SHA1
7f68d35aa24efb9cb51704e8fc21ef6934ff1656

SHA256
25a36e7bc300e29e752cd4c44966b3eb1257c20ec0e96e0d07a595c92582abf5

SHA512
48d3ae232d47e6efc1814ad57e5b671336dc26090fb44e45dd0412c2916cc965b018250f232c6cc6abbe1bd8598afc85bf8704a3dddda83c991bbdd1533dbe10

Download Submit
C:\Windows\SysWOW64\Fkqlgc32.exe

Filesize
64KB

MD5
9b2ce3f7ff3d712a1e2747a83b13cf3e

SHA1
8d90a31fb989d8b98d126a5b918644fc0039dd86

SHA256
577b067fcf306df9d11c7c40fb533f0229a25c0e729639e7502dd3120d7800f2

SHA512
05e5ae34c66ed78cd6e62ea895026b4f33af6579985edd1b6874a34230909f5dadb1823cddb7f84bb4bcdaa4c2e2ad95eb42ee0687629b3baf02b127ea4725e8

Download Submit
C:\Windows\SysWOW64\Fmdbnnlj.exe

Filesize
64KB

MD5
a8d1beeb6f5ab4df1d9df145605a5b28

SHA1
b060c6e6490551ff8da8da86fd99ae075911e7d4

SHA256
bb9f476ccca422b3aa1789d3b4e62a0e79abb6b583ccd0d349b21d984fb58ed5

SHA512
e55e04d28c4c21452957c4901108a72efc4ddb0d6c05f35f25818e009dfc8aa210ec9e3d1af517ef56003afe1793d485d221fdf4ed7895c2a6370eb28a46b6cd

Download Submit
C:\Windows\SysWOW64\Fpdkpiik.exe

Filesize
64KB

MD5
b1c2917fe13534331be95cc02f7d5159

SHA1
5782d357d4c4739e5116f3b7829d74975e268d0b

SHA256
12d299b352a0bad57240552c80c78a848e08756f4be0dbd082bc1fe9894eec32

SHA512
bf80032582dad1d4947fa741090145e1b6d944ce552ea17ee66acd85e4c00edbda4e1c0450fc752b8c5a4e3813635e2c87bfe1eb4e77ccf44cd96ae62af6e127

Download Submit
C:\Windows\SysWOW64\Gcedad32.exe

Filesize
64KB

MD5
28152a6233cca1c47e580724d6ee9687

SHA1
9521c0ee0bd8a2bd77a11716ce735b51cfd11f7a

SHA256
3ad0edc1f3343f53c26f6e99a9f5322dd819209c90a7966eba900c235c5c62b9

SHA512
ce07647428821974e290375daa0d27b5a1441fbb7f0a955c3f48d5d83f7bec1f0f51d5ac00f0d8b2f9c2cf32866e1b92106be99927eb97f524703def4af28ce1

Download Submit
C:\Windows\SysWOW64\Gcgqgd32.exe

Filesize
64KB

MD5
76360b6822db886546eeed3db21955ae

SHA1
da26fef0d9310702efe4248d26fcd8a814cc6201

SHA256
50f4542526fceb1ea97c85069b5a296b365000cb9e97d87eefc0b33889b2c5e3

SHA512
3809e71dd6988f4b4630ed4c450ab3e9fc8b6a1b6b053e63da547b37a635208b01fb5e77a6711b9c98919722120b42844d1a307e6069e3e1f0fc4cf50eaaccd7

Download Submit
C:\Windows\SysWOW64\Gdkjdl32.exe

Filesize
64KB

MD5
e146c11c20c1463d7aa8e674889076d5

SHA1
df4da0b702fb1ad08411ca1b35d3198375580cae

SHA256
4ae7e504f8ed65c7569449063ef9723da3f30c995b7e545c984ee1a3fca7f35e

SHA512
817c9a669e34e373d40dde4fa7b8c6b844e11dfff3d69c6612eeea0ecd70b341edc4dfb79b7525550507534f3f418eaf1132f66185d231616781ba88e9181238

Download Submit
C:\Windows\SysWOW64\Hbofmcij.exe

Filesize
64KB

MD5
5b7906be55ee6fb39a819eb26fa2016c

SHA1
4e02bedd9e08a17b6692963207771e3b190baaeb

SHA256
fc3210d3cae03d797544173dbd68145955137b8d675c1e0ca383f9dfb8e1ba72

SHA512
f94b98f2a244b129dd63f657d730ece2cce4bf1ba65821cc3e589594627744b741031221e6c66d95c909be01a2137adaab7fa4c2aeda5b45f97165795fdeaf76

Download Submit
C:\Windows\SysWOW64\Hcjilgdb.exe

Filesize
64KB

MD5
10e627aa9267a659932a228aebdd446d

SHA1
d84677f0d3243ea46bc827f91dfefa362c0f7a41

SHA256
c155ef83229499b0714e86118704ee039e6a8dd841326e9582b6187d03beb49b

SHA512
2145f2b95caa2ff5eb10a6ed1c84277d33f06ee12fa23265bdbac88df099a80efc77c8c4ffe975966ef1e4cc5c488d7bb3e41d712474eb73ab04f19140278429

Download Submit
C:\Windows\SysWOW64\Hjcaha32.exe

Filesize
64KB

MD5
2180964f75e7a02328f8eedab316c8ae

SHA1
411ac2f7ec2c5e316e597207919f5bc871830d22

SHA256
83b9ba2369297fb3afc880bf325166f4052826eadc7d814f06f761fad96054e7

SHA512
d8d1eeeaaec9c5023b325d32c3d3ab2e380f79118a1ee13c93560026e71d2affa391a5f5ea228060541f31cbb9b58dbb9801130df1978a51c69e44e6b52b2b68

Download Submit
C:\Windows\SysWOW64\Hmmdin32.exe

Filesize
64KB

MD5
45275cf25319fd18721cfd0ecd76c98c

SHA1
58af0501057afd8da8cce919bd97c70317c3e618

SHA256
d4789239254ad289d40ca3b94b883fef6728325fe3d5940cebdfffaa738d5ed6

SHA512
328b8af9a0578227b47581bee79cc9fb53f9b3a37fabd4ec0b2c97ecc1732d2632d55a597d2c12f8313b989149712b2bc3abd969bd26d01f37e2aba28399faf4

Download Submit
C:\Windows\SysWOW64\Hnhgha32.exe

Filesize
64KB

MD5
1aa569eb0547dcbad2f1a7c28ac73252

SHA1
558d22e0d08f4ee852933776353366898cbe1b96

SHA256
366adf0abf5d57a976586b55c61acc4fe241403664467affa0df95ccd85a2072

SHA512
1a84813c561be8217affd0634fe8f677e222f23e191981338fda5fc8aa1bcc5f6ad44302ba3d5b79b2be87374574bbe1771116cea34f4ac6267d459eeb46fdf9

Download Submit
C:\Windows\SysWOW64\Hqnjek32.exe

Filesize
64KB

MD5
98ecebf41e3be30cb73626c8ef557dca

SHA1
d8d9eb236e9c2aa3882ad8b7c11cb815884d9a8b

SHA256
02cd52102a013b50acee044723be4fd2afef0409dbbae5b2e68118c4abef798d

SHA512
4eb948cbfaefbf04f3f91842206371ba7769bc090907ea337f9ffa30d35130fa0a1566c8488510d56840c39dcf87979116b11189dc03f58612f07c6a152f4d6c

Download Submit
C:\Windows\SysWOW64\Ibhicbao.exe

Filesize
64KB

MD5
207c089a57c71e239872f09dadfb9da1

SHA1
5a756d9327240ab419a5903de5088894328aaf6e

SHA256
7ee21da4ff56a4b1e7444cebbdff686b3db4dfe497b08a19069f5b18a4bdeb16

SHA512
5f11e6ff19ed5cf8768a8024e75b7551ca75e33a9f5ae7792d09f701cc6ea2b0108d4222781bbebc4dac70f6f17028c5f721f359b646a11b1028a6e13077d51c

Download Submit
C:\Windows\SysWOW64\Icifjk32.exe

Filesize
64KB

MD5
4d68b1a58c305471db21139a828cd830

SHA1
bb4a11d7fae5ed1c1d59651f7230a3c68ac3c99f

SHA256
6256f2697492dfc5c4ddb0673e2b905192ffccd5256d50f11dd65e7d7a31f957

SHA512
f9973c7b2e769bed9f28929e34ba6e86099043a821b8345ae74b4ca09a2440cfb320e6c908f0afead23f01e237bcb7168ec2ed5b8a550778c7e067747a6361cb

Download Submit
C:\Windows\SysWOW64\Icncgf32.exe

Filesize
64KB

MD5
f5182e4e55bc711f8efeae906ab11163

SHA1
809a628703c81ed6986f596f5e13a949883b3fd0

SHA256
65ecccc08c84432cabc1f778b4902942a8da2427c7c9b8c62983942ad40c94e8

SHA512
7f3dd02835c0404ad904dfb54298d3d6ac8066a0942abcffe8c7a53d9550e6792ab6bcc55da0f4d7828191d51d0021671b6a0b25962ced09955157c9cca47dd8

Download Submit
C:\Windows\SysWOW64\Igqhpj32.exe

Filesize
64KB

MD5
8cfe66200b8ae9b59e6d816714029e93

SHA1
76d10cbb4c661c55d05d8071602eda1b636ef067

SHA256
c21d0e0fb292f4d7934850476f1e51a969b432421a5676711b031319a7445f74

SHA512
9d12cfa6f05e94a95ef20998d76f9d0a2caa034101876bf269c1105b6d50c64b484a1f43d21c14fbf320a5f3bbede7c0d83c7732f32734b1a95160ac8856ea50

Download Submit
C:\Windows\SysWOW64\Iknafhjb.exe

Filesize
64KB

MD5
07d352375a7bf1869b0adf338f6771d9

SHA1
1118e6f146477dfa8ad5518f92fdd072f70096dc

SHA256
37765bc7b6506654c8850ff91ef45be42c2205c1ec3b582f5ad5bd9e0bf06631

SHA512
5589012eaa6055065fd6d84b4ce508894a0b8ec754c1d4db09c51198088f6b64b8e960416c427eb112fb6f0c0b824c9006a85bb32ac9207644687391e940a1e6

Download Submit
C:\Windows\SysWOW64\Ikqnlh32.exe

Filesize
64KB

MD5
448d2d7c48b641e74608757198432132

SHA1
9cef3411ca3530ca983b4cdd88784d4665678727

SHA256
a3bb30173355525bd35ed2bf0e8daa825fa95226abfc3f3bdb5931dc4ca4de37

SHA512
c3f6a14b83abd2e785bddbc02ed23348566a2b3e425d1b6bb853a157bffcf5c04b0be761f639a4109e59b3a3894d2ed8ffee617019fa452234cfa950e3739c1d

Download Submit
C:\Windows\SysWOW64\Imggplgm.exe

Filesize
64KB

MD5
13266d89d32d10641f989073a591d2d6

SHA1
198f2325da2125b6292136dd8a00bb6fe72e6550

SHA256
b07bd72a62e9268122186163c096c8b338721fc2ce7e8754030055c39d5c9d5a

SHA512
db69921e549b72507051be78796ad6a2b72839a0fbe46b7f3853a234e0841a1a416f35b3908c94bbbf6188d5a9e105fa5a715008b0770c5b324dbee79e4cd0d0

Download Submit
C:\Windows\SysWOW64\Inhdgdmk.exe

Filesize
64KB

MD5
acbd2d42cd61f75c56a1df2904781966

SHA1
e1e42cf324f83a6e62c13e80551725ddd5b65065

SHA256
0fc6a924b44d19abaaf3ba03fb57bc2be2505af700276be2362b0a14fb549ba1

SHA512
0616847bfdd58a3eb59b362e45eb8609459e755d2c24d575a3337e963fe6701b312576660b50247543bb382a383bd918d866507f6206936d50f880117ceddaf9

Download Submit
C:\Windows\SysWOW64\Injqmdki.exe

Filesize
64KB

MD5
b02c1c90e76533102cf7e7da9e4a29f9

SHA1
4b832b399d9e70a872844f96f3d3860848438d1d

SHA256
1f87329a0529ce29583049b508462c1bdfeb3a57f0586a66c464fe80936495d3

SHA512
17d3996199be80747eb23b7f0fd4930badde2b173f7084b5ab1bad48836a7ee12ac810f513693169a8d98bd4c2af54a2d5d2b5e1cc8f9651102d1c96096e126c

Download Submit
C:\Windows\SysWOW64\Jbclgf32.exe

Filesize
64KB

MD5
85a62992634c73fd3e68150df422e129

SHA1
d5d56012c3c7abe2aeaa5663a1fea71742fd8dff

SHA256
122428676e889ceee0b2ffa189535cd7a7b649e876a26593c3783d50f6bfd9dc

SHA512
5efd9a4a8a0862d338849ea86b3570142f64f1677bed993c293d243bec3d4521a1695dcc7f0671c2349e9f0323f60a2dacef3bbc4ea932fd406a66e133350e8b

Download Submit
C:\Windows\SysWOW64\Jbhebfck.exe

Filesize
64KB

MD5
3c36aa62c0336885d455ffbf7bc054b9

SHA1
fe3917fd64db5dd151b6d3c52de414fa4b0355fa

SHA256
3290cc940e5314de9829146a90612c6ac3dd6c9f2eb752d617b4269023f7fd9f

SHA512
cbd4622ce8fd2a4add9900eb93ca63a24aa0253fc9ae5d8408a28348fe1483e94c8633f462d974d7c7305bb86996e29a2e1bb80a546038ab766dce29f5d45fce

Download Submit
C:\Windows\SysWOW64\Jfaeme32.exe

Filesize
64KB

MD5
4e4b92f7cf9a884cc1569ca56631e763

SHA1
357097ee0dc57889e6afced040367fa6d4148283

SHA256
52f7d74f8e634129433c0eeb97e1a3c25f6197a8be36ba494c72a6f5d6882386

SHA512
3b70d1807e6c283f10d1233455d894c9395981eca67c3e7b7b5e2d5ff4fb628b5bc6d795e23f3fecd9f889618bcb9e318c642f10fd15e451d1ccf5348b2e5ff7

Download Submit
C:\Windows\SysWOW64\Jggoqimd.exe

Filesize
64KB

MD5
b3f1c4a5d3b0538a6fadddcd270a29be

SHA1
22d18942c3ff1895f8830b8f169c7c60de53eeba

SHA256
a898d8cfd1e11645136551b1e60307e5c6adbc4e34528c60d723271488e83d73

SHA512
a30167efd1e5d685ce8f997d986e1302cd1b645a96c2cbbcaca8b2c844403eee03cde946ed4d489061729b43e390e3c2a936574461dfbc2e564fa9392d0eda79

Download Submit
C:\Windows\SysWOW64\Jgjkfi32.exe

Filesize
64KB

MD5
cf15e0c1c4364ec56cb39a37fa36afb7

SHA1
ed23645846fd197284f3a54c24f12b6d3b3a2f9c

SHA256
cb3e4d39a92249fbb7e97b2e41d207275548c94e8174cde327ef645faa766714

SHA512
d0172dd99c353809c9eb9a053e570674cea9834e8d477ec61cf32cccd22f8d5d83dbafc366a0bb793f9630f7cf2adf67a90f59c0882a0c75e567b7043888036d

Download Submit
C:\Windows\SysWOW64\Jikhnaao.exe

Filesize
64KB

MD5
8521e149c48c4dd337f48181610d5e47

SHA1
a0421ce996a3b01bcc6e997f2aa50245ccc0ab45

SHA256
a72391ffe4af2edba486962154e203b6cc5f120b826552908e51806e1a4dbcaa

SHA512
2f50a15bd83bd368a83f6fb88a4d4664281b7512f67398acef394c23a8e515ddd019c05d25557a86db92edcec4a6d0cf6c932eab4fb11924656848ef1c489628

Download Submit
C:\Windows\SysWOW64\Jimdcqom.exe

Filesize
64KB

MD5
f956849d081350c3d21f82464786eab8

SHA1
6cee2c3846f3c88414e775efdc12286cac5b112c

SHA256
f3169f0586e5a3fed3e9c2cf514386b087c3b50232d192f1dd10aa27862d6be2

SHA512
8fef2296173d0c491e28d5ab4ff26f9d78ffd9d03ece416c1bb744f19c0cb5d81d29e8df00058b2fa4715a98980ae591483e13866b268e495b06640b7d00f14c

Download Submit
C:\Windows\SysWOW64\Jipaip32.exe

Filesize
64KB

MD5
db3afa8be7ed36a29456d50d6cc1434d

SHA1
b8f4999d559c2b5b8ab88cc08b3025d89ed510cb

SHA256
d197f04d8748fc091b6858a411d959d5fdbed7ab2a1aaa954b3b7e14d080443c

SHA512
da513c50d27899d176ecc84794cf40306364028b04e269e567b3f68737baeb6cc32e8396f08348c8e6c4f19bc7aa576ee2bd63e682066cc2d3136bf2895edf60

Download Submit
C:\Windows\SysWOW64\Jjfkmdlg.exe

Filesize
64KB

MD5
5e5a5f8eac73e9d4ec2752ae79f0ed0f

SHA1
8c969e0ca8c26bd59a2ab1a511bc5244dbcf497b

SHA256
fd44d286632c837d842bc4f1f0cb3edfe9aa6ed9453b337f95e7eab32cbd567c

SHA512
89eca8f7b2d28139edc67c1fab0512a4a0a66fa9356088b382cc9325121a293e05166967ca6156582faf24d041d40a5353e9e91ee9c175ef469421a1859fcb48

Download Submit
C:\Windows\SysWOW64\Jlnmel32.exe

Filesize
64KB

MD5
b8af5e58dffc185d40258449a169cba4

SHA1
43260785ddd681248cacb12c167153b73a7cdfe1

SHA256
26552b8482b0483d600f6a9428e12253f6b7c9cbc7a48771381a272c50f09ff8

SHA512
5bd88df004bc141297995a63f48835aba8ef1e92e9a1cd8cf6b343f52e5ad92ff611c09b80a87d55f8a48e68c93d7f3d06537867b43977dbe29def26d3aa2585

Download Submit
C:\Windows\SysWOW64\Kapohbfp.exe

Filesize
64KB

MD5
b1b2bd288950389f4803939d0718fd16

SHA1
f95aca5f573131558a4b61d071744f2686305393

SHA256
e2d95aabbee2b60c74034184dec5c81bf8f444a7b1b3c95a067a254bd4efaf97

SHA512
d04b6290431037396d45e5e7ab3fc9d3ccc1cbbdd506ec923179ed27cdf3d57ff1c7b43ee069c7157ebafe9b3059610e43fb2fa697e6c7233567d03c1ca68214

Download Submit
C:\Windows\SysWOW64\Kbjbge32.exe

Filesize
64KB

MD5
af0b5e78fe4a2e800a08dc42d90a75ab

SHA1
f5772dc53c914b1929203bb44bd992469b3ced3e

SHA256
c077be3148bbfb04bd1ba0cfe669f215fdd129964b67ba8bd24110c646157234

SHA512
f05fc58755a9e300e0f0d51e0d09df3d41c185f6336fc87915de08947af26a0efc0e248b9423bda8f3b86202a7b597d2fc8a8cca67495132b55b37fbbf3c4936

Download Submit
C:\Windows\SysWOW64\Kdbepm32.exe

Filesize
64KB

MD5
ecf15d6b687695badd33f48a65c6d367

SHA1
c52e200ab771bb2d21ff5031c2f8df61db1c576e

SHA256
74bd1e78cf3fbb4bdc4bd3883e6d71f23345c8740d8f73af2236b3bf348f8981

SHA512
3dc8fe0574e70727b596a1f64fe9157fbc2cd523a995ab111b41eddb7d83fac0376b38a6f9c2402575edc547e964757922a9c91976085dbb9e9ebd33486ef210

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
64KB

MD5
2b97b9f9d562c46019e79f9f4553e88e

SHA1
9caa047465df288925e0f772304d876e5cacad83

SHA256
331bb1a46d74785a0963831ce4cddbd0bf09c8654e16f94447daa43428834b2f

SHA512
9fc7e1eb3ec260d26487d84f486854c5c5eb9057a3d6d2e94615ff1662d14cfec6130b06580571db04b156507f4a17b67bf497039cebbba4e1129cc84fc49980

Download Submit
C:\Windows\SysWOW64\Keioca32.exe

Filesize
64KB

MD5
0c0520aa8f1481757e02c2b05b66bb6c

SHA1
d2d30e20ed65768f397bb3122d02fbebf979f801

SHA256
c4d1a059b43a1eb72fd1afb8323e9d45b51209f886d2369c42fac00b8220869a

SHA512
4a6d248e8740e5ffde94b5551a0df585bee043ba2b1f2a823ceece490a81932f851424edd831e4cfab834df7fdfff6e2826a55b4228dfa8a24623f7d9147d4ca

Download Submit
C:\Windows\SysWOW64\Kenhopmf.exe

Filesize
64KB

MD5
fbd8be5e020d49e8521237c1084e3982

SHA1
a165a25e72e2a2747699a5d05764035f1db1ce42

SHA256
1134e314704a81d34b2354c5f7ba0d2024386f3a42d49c9e58e5e3df994feb80

SHA512
10817606d702ada0900f48fd86bb05c6784ff9dda361c48b1cd772ce7efccfbaae2e0ae936391134493cecc44d513fa3d748812565eca8d5d7626c2c60559840

Download Submit
C:\Windows\SysWOW64\Kfaalh32.exe

Filesize
64KB

MD5
78db876d4da05a539ea23222850e0f1e

SHA1
a2f4b5655a5d736183a930bd432eccce03417557

SHA256
d99b2261eb4b246f8fac40335a2e4419ae6ff94c97bee1eadf1e804a4e194501

SHA512
8f7437f9fdbc83cdb35b7cce7eb0363a4414e8ec570552fa22763bbc06d46741327ec425e5dae7b46292ae729f8499b0ce11aab0c5eae5d4e3bb8cadfac0966f

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
64KB

MD5
1b704215a02fdeb3880413f38247299a

SHA1
b8d6c1ada95e02332059ef5ed35407adac3cd94d

SHA256
3ed5eb4897ae780e5a99d07d0995d809186d50e588b85b6efbee6587d3fffb90

SHA512
a2c81adda5bb69ce0cb44a9884f975850306fe6f7f5f270938b40010f18ff87502f8e093571dc9f73ed2e1fd034c591bd0995aca5ab4ad7c7a0f1822d7cc8a3c

Download Submit
C:\Windows\SysWOW64\Khjgel32.exe

Filesize
64KB

MD5
a205ab1577ce786db33586d3eeb1aa05

SHA1
fae48d6b50bfd240feed8b5cfd94f4d6083f7a1c

SHA256
04b46f65c3b736e508b1751902ff1695a880e96743f8caff0a8cd36092f7b99f

SHA512
3682454e6d8b62e2b8e63741a14e094450ea594923a59a52d7134a7542c99f4d84c84aeaf0159d5e30be19afa7caeecf9c880b783237051a505c1a41a1debea7

Download Submit
C:\Windows\SysWOW64\Kjeglh32.exe

Filesize
64KB

MD5
1f1086fcee815ef5b77786cc4a82c108

SHA1
a44ebab909b043cb8a79fdab6f902d0b833954b4

SHA256
d2f9e0cf8aa3a57b08b3572b1e0db6a1f8b5592876a3351ac2b2fc44bfbf8793

SHA512
4acf5877a355c5d0c92c5457669b1b2bf58e46c028346225038b07ab78b7d9a8774536e72fd2b06b20b7389ec91988c236167a0157ab695b6192fe143d3c7c5b

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
64KB

MD5
14b5a54361ab69d18fc89f299f260c3f

SHA1
42c717e837c085e5d4e746cb2b38300cb533a030

SHA256
6b220bf63d435828ca7ebb5fbb3f9beb63b4e241af275f6c778b3658445d7b21

SHA512
9d237da1177604585cf4e424e99f18b81b855f75eb6c8623045121686afd80dda3044c5db852db9057912ed09be1d55073f27500fb0041e5f22f2e3d17a38001

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
64KB

MD5
f7e1e923470a26876fb6e23d4d216a91

SHA1
bb31749f5ab2d27d51ee47a07be493af5b39ecec

SHA256
43e1a78c7299784e3f4e4525358415767cddabd2f7b07455ddbc7555b30a328f

SHA512
9839a0f06b972c89027cac7c033031c1610cd454fa8599832f49622b37220a05713f057150d7b6de6594d9dfa90a0d272d18f16d995e8602c285693f225c023a

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
64KB

MD5
7c51b40f0c32c2983c27c25c7a99a1f4

SHA1
f9d692f36a589163e14ca2dff9854f081abe5f98

SHA256
9e320b3ace6cf4dbe25c0f8bf30a28e96ce1f0ec4b65b8ed5eb47f494c65e3cd

SHA512
dbd4630061408dace0a3f4d82a6bf425e72e77b1516ab34222e9b5be49efb0d4d99f9e16236b23386d698af89476d657896e4a807e8aafe2405178127a8ced36

Download Submit
C:\Windows\SysWOW64\Llpfjomf.exe

Filesize
64KB

MD5
0baebf1fc4377d7f353c7ddf6f1cad85

SHA1
ebc86e2109028884e6f9ba30598ced33dc5c7740

SHA256
a975ef0daa11325157c80b848d52f321a8b173d6a32efcb7479c4bbda45d0aa0

SHA512
16329bc54976cb6ff52a488bf4e40eec0ec7c73553161acbfee406fc733c2c63cc3cb48d375d81a713a2c02a2aaf407ac6f7a95bf773e9589c0365b91fb78733

Download Submit
C:\Windows\SysWOW64\Pbgjgomc.exe

Filesize
64KB

MD5
77933cceacdf08bde3c4333680f2198f

SHA1
63cccea05e21e54c5998cbf4670a533072aee85d

SHA256
07ce40447b1ad0e60e528726de722136639a32f75fd43bf2cbfea10e3b4cb829

SHA512
6b76120af251abf0b59aefae3b64a55158cec728af1ce235d31dc5261323abef774cf6fff565ec076167de8fde6fcedf1d5477cf4466ae49220b87dfd71453fb

Download Submit
C:\Windows\SysWOW64\Pehcij32.exe

Filesize
64KB

MD5
b77b161231fd32065cf07a16c3037135

SHA1
c2654ddee9df3777a6b2fb084efbf3c3b14acc77

SHA256
29ee65f10ecfa4c55bd2165cf3c92af28ae93fe322d32db8a622829fa946db9d

SHA512
9ea83c54eaae40c785f61b0fea0afdc54a4b096f87262f661f25d283c284c3b2a50b34a5df229d0ccbf858e63c997e01fd32c44314cf4b3ec728021734b65471

Download Submit
C:\Windows\SysWOW64\Plpopddd.exe

Filesize
64KB

MD5
c92a42dbe4e57f70a24ef59ee1281157

SHA1
b400d0920fd7e2d930abf315572e6badcfa4ea38

SHA256
90553b2f366875b6783e039e43413ba70a33a3837ab0e29893896882090da8f7

SHA512
d542972f559bdf4fd396890de2ddd25f9a79cbcde165207b808be79614aafa590db03532d7bddd1f9c3953ba552ca4f03eca293ec6b78697be7b97d6f17dae76

Download Submit
\Windows\SysWOW64\Agihgp32.exe

Filesize
64KB

MD5
43dd4e8514083db2e28b144a1d23756f

SHA1
2944ef0e0b38e1253b0d837d2585cea8f70fa313

SHA256
d23e7feeb8618a497181e61bbe06439d55f8f2db31a02173b3630a896ca2a102

SHA512
223cbebb449a98f4f822402fe0a474302cdfefbe8c4873cf2385353c6fed6d2908e837721190aeeb0b9d53de2df42110c88f452354bcd7c0959112afb682a321

Download Submit
\Windows\SysWOW64\Ajehnk32.exe

Filesize
64KB

MD5
f2dbd4459b1574aa7c1ee5235d5018e4

SHA1
e8f8beb52a6534918ac492f0eef40e4b094da083

SHA256
aaafeb10aa74ef489748f4e85893c50f08f2ff8ac555a6e97322982102aedf54

SHA512
c8d16a48d9f3437ba36e5189af9aee0d86898a5b9bbad288fefd0190dd2ca005caf79cbf78c2a43c664f6c976929bd41e01fb18e28bdb7e19477348b9a892bde

Download Submit
\Windows\SysWOW64\Alageg32.exe

Filesize
64KB

MD5
e10a120b84000e75af0751d2dff8b128

SHA1
01ddee48add883dd906fa28fb077cc9b57785514

SHA256
d345afda2d4516f769257944a5d00ad96fdb93d256a156a1cda15702567b4c4e

SHA512
c169e52b1b2a35836ade6e9e17d2c9e4e9d14d34dfc772fb5c188cf6565abf262dd4fb9f0d23a537f3d66248de5f458818933129bf1c5bf6abed4ffcea601636

Download Submit
\Windows\SysWOW64\Aphjjf32.exe

Filesize
64KB

MD5
c3f9acc7c371e3d7421c5741740203ae

SHA1
410061c35a08c3530ced9d3abe7101fad6687998

SHA256
ab19740c311b6bfd6d2816354e67762904ca9d8acdb4521b15c963cdc4adfa6f

SHA512
1e278c093d57a0643e15f1e63c2b9fe3c97e695f4b9da1f24d6892453263e48682a9805c758a9a1155382c084380ba2ca7b72802ade25f045b601428e1bcf541

Download Submit
\Windows\SysWOW64\Bddbjhlp.exe

Filesize
64KB

MD5
9be382fadce052c98346b0801d74d6e3

SHA1
8cf0cb4b7ea75b19d21291e500e4cb33e396a132

SHA256
76845230fe2c37252a043d0cdeca236792e43061de3a77d1b05477c78ec4dc6e

SHA512
e34da0bf64401dba839da904b9519475bf26351666ccf2f3058922991f5244e0c374881cbe4be8a8ceaddfe7476337d591f7a96358f016e5f953bae55033ab64

Download Submit
\Windows\SysWOW64\Bgdkkc32.exe

Filesize
64KB

MD5
82b1cdf0768b1f498a2f984e70cf71da

SHA1
7e885d3e7e6b8071f25237dff53ab59c4476bb70

SHA256
d2865d0b04b8a4ded8d42214efeba50598a140a900a6768873aef4e6feb27ac8

SHA512
439020da3a63381234ccaa9552fbbac8e3dc74a5edc0248efdcef2a5bf2ddf10c10042a7791a2abb1c12fa04e56a82e5410b3e407f086d1e40e93b03779e9e91

Download Submit
\Windows\SysWOW64\Bhdhefpc.exe

Filesize
64KB

MD5
1a4f47872709adf8ed1c4695bf3252f5

SHA1
640034eaf22de3f3400fa728556e519b929b19d7

SHA256
c3658150c1ffb3c229250cd95d63695db5f609e9526cfdae18f1c098c165b3bb

SHA512
c692757b2e066f4e3330f3d6422a2527aae2b6442d293dc4b8037b61a2a57c997b0da64f27f1a2ab91607abedb92c732c54163b3b8b0f799a1964f212b3f4fd8

Download Submit
\Windows\SysWOW64\Bjjaikoa.exe

Filesize
64KB

MD5
09399729eb0d37ce59fcc6cb7d6162ea

SHA1
334adf78ad3e62f517de4d25fc2142ce95171e3a

SHA256
3a03c72cb1286a7361fa1241694f177f3668ec0fee6c72cb538de405df33d410

SHA512
ce5ea99908cd0d5c0754b9db6fcd70563f366d479d5b89495082942969cb3c9a072dd133c618d9f204a9976d843ff8c7a2fcf9a56e86738886fc7449b61d74d3

Download Submit
\Windows\SysWOW64\Boemlbpk.exe

Filesize
64KB

MD5
bd8a986821753a7795acb41152881a46

SHA1
e300203653b1fd64883218d4ebe25e91c8610051

SHA256
882948df62268abdc9751a2861664b572d972e9efe2e2ccf577c88559f0d3b11

SHA512
00e6dd8845eb2116609bb54ca7dfd2bdeed1947bd48cb00487ae095f3be78da0578575dac30ae3777613a91d1ec3a5098ec3172d5606c6cfd3962245e019f551

Download Submit
\Windows\SysWOW64\Ckeqga32.exe

Filesize
64KB

MD5
c1aa35c6e7d66acd07429784f3b485e9

SHA1
b9b713afbf0357beeb896226d918a2736cd44dca

SHA256
5f725474faa46880fdcac9bdac45a5b44a427a71e8f4bf08d02b79190af5e23f

SHA512
221e8f1a076de7843d477f1caa4168cb4edfcf907484b5c8b20816fe35ecee9ea7992f32f4a27fd849087c818fead6a2334d96e2cfca80a498a44cdeff7b906a

Download Submit
\Windows\SysWOW64\Qkielpdf.exe

Filesize
64KB

MD5
293df408319fdca7b857210e36e83c22

SHA1
8b325911747cb032c36497f95ec476ce497b046d

SHA256
7d75e30baaca0f33683561783a3cea1ec24507fba90c31bce98aa010023d148d

SHA512
bbe8c84ed6644a8830a1a0161884ac205867d25abbddcd0a279f914053583e873347a9ffbc2ee657da11327c2f0892b9ac4af27a1d83ac2a0254059e142effb1

Download Submit
\Windows\SysWOW64\Qldhkc32.exe

Filesize
64KB

MD5
b59a4d552ba62ccea1e419275d35e505

SHA1
2669e0e08e81f98256fd16905b3a970895db83f1

SHA256
7bb8678caed98247061603df2894f72ce34343d054207261ddeebef9b4403c3c

SHA512
7cded750881ca3cc2aabd1f820dd4b0455dcc200eb2d52636c13b16b2b9d512f11c4593060ab3e54b31382c11a91510844958b6f16520367348b49cafd375ae2

Download Submit
memory/556-309-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/556-308-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/556-301-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/664-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/664-416-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/844-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/904-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-481-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1116-483-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1116-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1132-272-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1480-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-252-0x00000000002A0000-0x00000000002CF000-memory.dmp

Filesize
188KB

Download
memory/1560-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1560-321-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/1560-322-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/1620-467-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/1620-465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-444-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-454-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1948-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-332-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1948-334-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1988-176-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1988-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1988-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-243-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2020-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-442-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2024-11-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2024-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-12-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2024-335-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2040-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2040-236-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2068-466-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2068-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2068-464-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2132-261-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/2228-983-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-443-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2240-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-105-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2248-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2248-400-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2272-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-199-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2532-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-32-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2556-510-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-178-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-95-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2596-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-411-0x0000000000230000-0x000000000025F000-memory.dmp

Filesize
188KB

Download
memory/2616-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-162-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/2688-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2688-41-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2788-377-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2788-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2796-346-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2796-336-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2796-345-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2808-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-385-0x00000000002A0000-0x00000000002CF000-memory.dmp

Filesize
188KB

Download
memory/2808-50-0x00000000002A0000-0x00000000002CF000-memory.dmp

Filesize
188KB

Download
memory/2824-360-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download
memory/2824-356-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download
memory/2824-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-368-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2868-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-68-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2868-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-399-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2924-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-432-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2984-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-212-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/3016-486-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download
memory/3016-482-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads