berbew | f93ab0b1b72d0c0684a489c51ac78806db850612594044e2ab8716580c7793c3

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f93ab0b1b72d0c0684a489c51ac78806db850612594044e2ab8716580c7793c3.exe
Size

163KB
MD5

9fc697ff3ad3ebfbd1fd6490a43b6c30
SHA1

1c9944c8f1e0349d2e5acfda03be5fe3b2e08c33
SHA256

f93ab0b1b72d0c0684a489c51ac78806db850612594044e2ab8716580c7793c3
SHA512

10448fc31295351689e235bc7444b5834e04844eea601d7d0ec2a834f6ab0d14b5b368205b2426fecca12631d949b4ffe0c439bc5758059752b217d1ef935171
SSDEEP

3072:Yvob265YuWzmyxrZFb/VyICUltOrWKDBr+yJb:ooirZFb/VyICULOf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjfkmdlg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fakdcnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgjjad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqkmplen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leikbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdkmeiei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmohco32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdkmeiei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fliook32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakino32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghbljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iebldo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iipejmko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inhdgdmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loaokjjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghbljk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giaidnkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqnjek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqnjek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hffibceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iocgfhhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdgdji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giaidnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gekfnoog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggapbcne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gekfnoog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfjbmb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakino32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jabponba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flnlkgjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gglbfg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmpcca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgljn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fliook32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fimoiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Japciodd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcciqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdgdji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkjkle32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2756	Fdgdji32.exe
2176	Flnlkgjq.exe
2848	Fmohco32.exe
2764	Fakdcnhh.exe
2960	Famaimfe.exe
1752	Fdkmeiei.exe
2104	Fgjjad32.exe
1936	Fliook32.exe
2292	Fimoiopk.exe
1396	Ggapbcne.exe
2128	Ghbljk32.exe
476	Gajqbakc.exe
2512	Giaidnkf.exe
2172	Gcjmmdbf.exe
3048	Gdkjdl32.exe
800	Gekfnoog.exe
1080	Gglbfg32.exe
904	Hkjkle32.exe
1320	Hnhgha32.exe
1052	Hklhae32.exe
1920	Hjohmbpd.exe
2232	Hffibceh.exe
2068	Hqkmplen.exe
2320	Hcjilgdb.exe
2800	Hqnjek32.exe
2828	Hfjbmb32.exe
2704	Iocgfhhc.exe
2712	Ieponofk.exe
2452	Inhdgdmk.exe
1332	Iebldo32.exe
2140	Injqmdki.exe
1868	Iipejmko.exe
2008	Iakino32.exe
1864	Igebkiof.exe
1624	Imbjcpnn.exe
2224	Jjfkmdlg.exe
984	Japciodd.exe
2248	Jpbcek32.exe
2136	Jjhgbd32.exe
1820	Jabponba.exe
580	Jbclgf32.exe
1760	Jjjdhc32.exe
1492	Jmipdo32.exe
1996	Jcciqi32.exe
268	Jedehaea.exe
1360	Jbhebfck.exe
1944	Jibnop32.exe
1228	Klcgpkhh.exe
1512	Koaclfgl.exe
2696	Kekkiq32.exe
2572	Kocpbfei.exe
2744	Kdphjm32.exe
2612	Kfodfh32.exe
2376	Koflgf32.exe
2188	Kadica32.exe
376	Kdbepm32.exe
1352	Kkmmlgik.exe
624	Kageia32.exe
532	Kbhbai32.exe
2088	Kgcnahoo.exe
1044	Llpfjomf.exe
1064	Lplbjm32.exe
2076	Leikbd32.exe
2016	Lmpcca32.exe

Loads dropped DLL 64 IoCs

pid	Process
2156	f93ab0b1b72d0c0684a489c51ac78806db850612594044e2ab8716580c7793c3.exe
2156	f93ab0b1b72d0c0684a489c51ac78806db850612594044e2ab8716580c7793c3.exe
2756	Fdgdji32.exe
2756	Fdgdji32.exe
2176	Flnlkgjq.exe
2176	Flnlkgjq.exe
2848	Fmohco32.exe
2848	Fmohco32.exe
2764	Fakdcnhh.exe
2764	Fakdcnhh.exe
2960	Famaimfe.exe
2960	Famaimfe.exe
1752	Fdkmeiei.exe
1752	Fdkmeiei.exe
2104	Fgjjad32.exe
2104	Fgjjad32.exe
1936	Fliook32.exe
1936	Fliook32.exe
2292	Fimoiopk.exe
2292	Fimoiopk.exe
1396	Ggapbcne.exe
1396	Ggapbcne.exe
2128	Ghbljk32.exe
2128	Ghbljk32.exe
476	Gajqbakc.exe
476	Gajqbakc.exe
2512	Giaidnkf.exe
2512	Giaidnkf.exe
2172	Gcjmmdbf.exe
2172	Gcjmmdbf.exe
3048	Gdkjdl32.exe
3048	Gdkjdl32.exe
800	Gekfnoog.exe
800	Gekfnoog.exe
1080	Gglbfg32.exe
1080	Gglbfg32.exe
904	Hkjkle32.exe
904	Hkjkle32.exe
1320	Hnhgha32.exe
1320	Hnhgha32.exe
1052	Hklhae32.exe
1052	Hklhae32.exe
1920	Hjohmbpd.exe
1920	Hjohmbpd.exe
2232	Hffibceh.exe
2232	Hffibceh.exe
2068	Hqkmplen.exe
2068	Hqkmplen.exe
2320	Hcjilgdb.exe
2320	Hcjilgdb.exe
2800	Hqnjek32.exe
2800	Hqnjek32.exe
2828	Hfjbmb32.exe
2828	Hfjbmb32.exe
2704	Iocgfhhc.exe
2704	Iocgfhhc.exe
2712	Ieponofk.exe
2712	Ieponofk.exe
2452	Inhdgdmk.exe
2452	Inhdgdmk.exe
1332	Iebldo32.exe
1332	Iebldo32.exe
2140	Injqmdki.exe
2140	Injqmdki.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Plcpehgf.dll	Fliook32.exe
File opened for modification	C:\Windows\SysWOW64\Kkmmlgik.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Iebldo32.exe	Inhdgdmk.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Hkjkle32.exe	Gglbfg32.exe
File opened for modification	C:\Windows\SysWOW64\Hqnjek32.exe	Hcjilgdb.exe
File created	C:\Windows\SysWOW64\Lcohahpn.exe	Lpqlemaj.exe
File created	C:\Windows\SysWOW64\Bdgoqijf.dll	Giaidnkf.exe
File created	C:\Windows\SysWOW64\Ncbdnb32.dll	Ieponofk.exe
File opened for modification	C:\Windows\SysWOW64\Kocpbfei.exe	Kekkiq32.exe
File opened for modification	C:\Windows\SysWOW64\Llbconkd.exe	Lmpcca32.exe
File created	C:\Windows\SysWOW64\Llgljn32.exe	Liipnb32.exe
File opened for modification	C:\Windows\SysWOW64\Hcjilgdb.exe	Hqkmplen.exe
File created	C:\Windows\SysWOW64\Koflgf32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Mcohhj32.dll	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Adnjbnhn.dll	Ghbljk32.exe
File created	C:\Windows\SysWOW64\Ieponofk.exe	Iocgfhhc.exe
File created	C:\Windows\SysWOW64\Mebgijei.dll	Jbclgf32.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Mgqbajfj.dll	Iebldo32.exe
File created	C:\Windows\SysWOW64\Jabponba.exe	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Ccmkid32.dll	Jabponba.exe
File created	C:\Windows\SysWOW64\Kekkiq32.exe	Koaclfgl.exe
File created	C:\Windows\SysWOW64\Fmohco32.exe	Flnlkgjq.exe
File created	C:\Windows\SysWOW64\Hqkmplen.exe	Hffibceh.exe
File created	C:\Windows\SysWOW64\Annjfl32.dll	Lpqlemaj.exe
File opened for modification	C:\Windows\SysWOW64\Ghbljk32.exe	Ggapbcne.exe
File created	C:\Windows\SysWOW64\Gajqbakc.exe	Ghbljk32.exe
File created	C:\Windows\SysWOW64\Lghgmg32.exe	Loaokjjg.exe
File created	C:\Windows\SysWOW64\Ljphmekn.dll	Lhiddoph.exe
File opened for modification	C:\Windows\SysWOW64\Ggapbcne.exe	Fimoiopk.exe
File opened for modification	C:\Windows\SysWOW64\Gcjmmdbf.exe	Giaidnkf.exe
File created	C:\Windows\SysWOW64\Lkjcap32.dll	Hqkmplen.exe
File opened for modification	C:\Windows\SysWOW64\Jedehaea.exe	Jcciqi32.exe
File created	C:\Windows\SysWOW64\Jedehaea.exe	Jcciqi32.exe
File created	C:\Windows\SysWOW64\Hhhamf32.dll	Koflgf32.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lcadghnk.exe
File created	C:\Windows\SysWOW64\Gglbfg32.exe	Gekfnoog.exe
File opened for modification	C:\Windows\SysWOW64\Hklhae32.exe	Hnhgha32.exe
File opened for modification	C:\Windows\SysWOW64\Iakino32.exe	Iipejmko.exe
File opened for modification	C:\Windows\SysWOW64\Imbjcpnn.exe	Igebkiof.exe
File created	C:\Windows\SysWOW64\Mjcccnbp.dll	Injqmdki.exe
File created	C:\Windows\SysWOW64\Jcciqi32.exe	Jmipdo32.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Gcakqmpi.dll	Lmpcca32.exe
File created	C:\Windows\SysWOW64\Fmcjcekp.dll	Fdgdji32.exe
File created	C:\Windows\SysWOW64\Inhdgdmk.exe	Ieponofk.exe
File created	C:\Windows\SysWOW64\Hnhgha32.exe	Hkjkle32.exe
File opened for modification	C:\Windows\SysWOW64\Fmohco32.exe	Flnlkgjq.exe
File created	C:\Windows\SysWOW64\Pehbqi32.dll	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Jabponba.exe	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Kageia32.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Ckkhdaei.dll	Ggapbcne.exe
File opened for modification	C:\Windows\SysWOW64\Gekfnoog.exe	Gdkjdl32.exe
File opened for modification	C:\Windows\SysWOW64\Igebkiof.exe	Iakino32.exe
File created	C:\Windows\SysWOW64\Ibnhnc32.dll	Imbjcpnn.exe
File created	C:\Windows\SysWOW64\Fdkmeiei.exe	Famaimfe.exe
File created	C:\Windows\SysWOW64\Jjhgbd32.exe	Jpbcek32.exe
File created	C:\Windows\SysWOW64\Lpqlemaj.exe	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lcadghnk.exe
File created	C:\Windows\SysWOW64\Fgjjad32.exe	Fdkmeiei.exe
File created	C:\Windows\SysWOW64\Cdoime32.dll	Fdkmeiei.exe
File opened for modification	C:\Windows\SysWOW64\Giaidnkf.exe	Gajqbakc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2148	2108	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbclgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcciqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbconkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfjbmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjhgbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmipdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcadghnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkmeiei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcjilgdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Japciodd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqlemaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f93ab0b1b72d0c0684a489c51ac78806db850612594044e2ab8716580c7793c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inhdgdmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iipejmko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jabponba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaclfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgjjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkjkle32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmpcca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnlkgjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqnjek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imbjcpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcjmmdbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieponofk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekkiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjohmbpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injqmdki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcohahpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdgdji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fliook32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhebfck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iakino32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpbcek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jibnop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhiddoph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnhgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqkmplen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjfkmdlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fakdcnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gekfnoog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leikbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liipnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fmohco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gglbfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjdhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpfjomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggapbcne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hklhae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebldo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loaokjjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdkjdl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnjbnhn.dll"	Ghbljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdeem32.dll"	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghbljk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkjkle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdoime32.dll"	Fdkmeiei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fliook32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hklhae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daadna32.dll"	Hqnjek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gekfnoog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jingpl32.dll"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loaokjjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggapbcne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inhdgdmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmohco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fakdcnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcccnbp.dll"	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdikdfj.dll"	Llgljn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnhgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbclgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjfkmdlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fliook32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcjmmdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Annjfl32.dll"	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaimld32.dll"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Famaimfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcepfhka.dll"	Hjohmbpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hqnjek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hffibceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcllk32.dll"	Hfjbmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbdnb32.dll"	Ieponofk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmcjcekp.dll"	Fdgdji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfaognh.dll"	Fakdcnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllmckbg.dll"	Hcjilgdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijpfppe.dll"	Hnhgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjohmbpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoebflm.dll"	Iakino32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmfenoo.dll"	Fimoiopk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fimoiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdkjdl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2756	2156	f93ab0b1b72d0c0684a489c51ac78806db850612594044e2ab8716580c7793c3.exe	30
PID 2156 wrote to memory of 2756	2156	f93ab0b1b72d0c0684a489c51ac78806db850612594044e2ab8716580c7793c3.exe	30
PID 2156 wrote to memory of 2756	2156	f93ab0b1b72d0c0684a489c51ac78806db850612594044e2ab8716580c7793c3.exe	30
PID 2156 wrote to memory of 2756	2156	f93ab0b1b72d0c0684a489c51ac78806db850612594044e2ab8716580c7793c3.exe	30
PID 2756 wrote to memory of 2176	2756	Fdgdji32.exe	31
PID 2756 wrote to memory of 2176	2756	Fdgdji32.exe	31
PID 2756 wrote to memory of 2176	2756	Fdgdji32.exe	31
PID 2756 wrote to memory of 2176	2756	Fdgdji32.exe	31
PID 2176 wrote to memory of 2848	2176	Flnlkgjq.exe	32
PID 2176 wrote to memory of 2848	2176	Flnlkgjq.exe	32
PID 2176 wrote to memory of 2848	2176	Flnlkgjq.exe	32
PID 2176 wrote to memory of 2848	2176	Flnlkgjq.exe	32
PID 2848 wrote to memory of 2764	2848	Fmohco32.exe	33
PID 2848 wrote to memory of 2764	2848	Fmohco32.exe	33
PID 2848 wrote to memory of 2764	2848	Fmohco32.exe	33
PID 2848 wrote to memory of 2764	2848	Fmohco32.exe	33
PID 2764 wrote to memory of 2960	2764	Fakdcnhh.exe	34
PID 2764 wrote to memory of 2960	2764	Fakdcnhh.exe	34
PID 2764 wrote to memory of 2960	2764	Fakdcnhh.exe	34
PID 2764 wrote to memory of 2960	2764	Fakdcnhh.exe	34
PID 2960 wrote to memory of 1752	2960	Famaimfe.exe	35
PID 2960 wrote to memory of 1752	2960	Famaimfe.exe	35
PID 2960 wrote to memory of 1752	2960	Famaimfe.exe	35
PID 2960 wrote to memory of 1752	2960	Famaimfe.exe	35
PID 1752 wrote to memory of 2104	1752	Fdkmeiei.exe	36
PID 1752 wrote to memory of 2104	1752	Fdkmeiei.exe	36
PID 1752 wrote to memory of 2104	1752	Fdkmeiei.exe	36
PID 1752 wrote to memory of 2104	1752	Fdkmeiei.exe	36
PID 2104 wrote to memory of 1936	2104	Fgjjad32.exe	37
PID 2104 wrote to memory of 1936	2104	Fgjjad32.exe	37
PID 2104 wrote to memory of 1936	2104	Fgjjad32.exe	37
PID 2104 wrote to memory of 1936	2104	Fgjjad32.exe	37
PID 1936 wrote to memory of 2292	1936	Fliook32.exe	38
PID 1936 wrote to memory of 2292	1936	Fliook32.exe	38
PID 1936 wrote to memory of 2292	1936	Fliook32.exe	38
PID 1936 wrote to memory of 2292	1936	Fliook32.exe	38
PID 2292 wrote to memory of 1396	2292	Fimoiopk.exe	39
PID 2292 wrote to memory of 1396	2292	Fimoiopk.exe	39
PID 2292 wrote to memory of 1396	2292	Fimoiopk.exe	39
PID 2292 wrote to memory of 1396	2292	Fimoiopk.exe	39
PID 1396 wrote to memory of 2128	1396	Ggapbcne.exe	40
PID 1396 wrote to memory of 2128	1396	Ggapbcne.exe	40
PID 1396 wrote to memory of 2128	1396	Ggapbcne.exe	40
PID 1396 wrote to memory of 2128	1396	Ggapbcne.exe	40
PID 2128 wrote to memory of 476	2128	Ghbljk32.exe	41
PID 2128 wrote to memory of 476	2128	Ghbljk32.exe	41
PID 2128 wrote to memory of 476	2128	Ghbljk32.exe	41
PID 2128 wrote to memory of 476	2128	Ghbljk32.exe	41
PID 476 wrote to memory of 2512	476	Gajqbakc.exe	42
PID 476 wrote to memory of 2512	476	Gajqbakc.exe	42
PID 476 wrote to memory of 2512	476	Gajqbakc.exe	42
PID 476 wrote to memory of 2512	476	Gajqbakc.exe	42
PID 2512 wrote to memory of 2172	2512	Giaidnkf.exe	43
PID 2512 wrote to memory of 2172	2512	Giaidnkf.exe	43
PID 2512 wrote to memory of 2172	2512	Giaidnkf.exe	43
PID 2512 wrote to memory of 2172	2512	Giaidnkf.exe	43
PID 2172 wrote to memory of 3048	2172	Gcjmmdbf.exe	44
PID 2172 wrote to memory of 3048	2172	Gcjmmdbf.exe	44
PID 2172 wrote to memory of 3048	2172	Gcjmmdbf.exe	44
PID 2172 wrote to memory of 3048	2172	Gcjmmdbf.exe	44
PID 3048 wrote to memory of 800	3048	Gdkjdl32.exe	45
PID 3048 wrote to memory of 800	3048	Gdkjdl32.exe	45
PID 3048 wrote to memory of 800	3048	Gdkjdl32.exe	45
PID 3048 wrote to memory of 800	3048	Gdkjdl32.exe	45

C:\Users\Admin\AppData\Local\Temp\f93ab0b1b72d0c0684a489c51ac78806db850612594044e2ab8716580c7793c3.exe
"C:\Users\Admin\AppData\Local\Temp\f93ab0b1b72d0c0684a489c51ac78806db850612594044e2ab8716580c7793c3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\Fdgdji32.exe
  C:\Windows\system32\Fdgdji32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\Flnlkgjq.exe
    C:\Windows\system32\Flnlkgjq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\SysWOW64\Fmohco32.exe
      C:\Windows\system32\Fmohco32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\Fakdcnhh.exe
        
        C:\Windows\system32\Fakdcnhh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\SysWOW64\Famaimfe.exe
        
        C:\Windows\system32\Famaimfe.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Fdkmeiei.exe
        
        C:\Windows\system32\Fdkmeiei.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Fgjjad32.exe
        
        C:\Windows\system32\Fgjjad32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Fliook32.exe
        
        C:\Windows\system32\Fliook32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Fimoiopk.exe
        
        C:\Windows\system32\Fimoiopk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Ggapbcne.exe
        
        C:\Windows\system32\Ggapbcne.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Ghbljk32.exe
        
        C:\Windows\system32\Ghbljk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Gajqbakc.exe
        
        C:\Windows\system32\Gajqbakc.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Windows\SysWOW64\Giaidnkf.exe
        
        C:\Windows\system32\Giaidnkf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Gcjmmdbf.exe
        
        C:\Windows\system32\Gcjmmdbf.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Gdkjdl32.exe
        
        C:\Windows\system32\Gdkjdl32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Gekfnoog.exe
        
        C:\Windows\system32\Gekfnoog.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Gglbfg32.exe
        
        C:\Windows\system32\Gglbfg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Hkjkle32.exe
        
        C:\Windows\system32\Hkjkle32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Hnhgha32.exe
        
        C:\Windows\system32\Hnhgha32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Hklhae32.exe
        
        C:\Windows\system32\Hklhae32.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Hjohmbpd.exe
        
        C:\Windows\system32\Hjohmbpd.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Hffibceh.exe
        
        C:\Windows\system32\Hffibceh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Hqkmplen.exe
        
        C:\Windows\system32\Hqkmplen.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Hcjilgdb.exe
        
        C:\Windows\system32\Hcjilgdb.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Hqnjek32.exe
        
        C:\Windows\system32\Hqnjek32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Hfjbmb32.exe
        
        C:\Windows\system32\Hfjbmb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Iocgfhhc.exe
        
        C:\Windows\system32\Iocgfhhc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\Ieponofk.exe
        
        C:\Windows\system32\Ieponofk.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Inhdgdmk.exe
        
        C:\Windows\system32\Inhdgdmk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Iebldo32.exe
        
        C:\Windows\system32\Iebldo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\Injqmdki.exe
        
        C:\Windows\system32\Injqmdki.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Iipejmko.exe
        
        C:\Windows\system32\Iipejmko.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\Iakino32.exe
        
        C:\Windows\system32\Iakino32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Igebkiof.exe
        
        C:\Windows\system32\Igebkiof.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\Imbjcpnn.exe
        
        C:\Windows\system32\Imbjcpnn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Jjfkmdlg.exe
        
        C:\Windows\system32\Jjfkmdlg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Japciodd.exe
        
        C:\Windows\system32\Japciodd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Windows\SysWOW64\Jpbcek32.exe
        
        C:\Windows\system32\Jpbcek32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Jjhgbd32.exe
        
        C:\Windows\system32\Jjhgbd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Jabponba.exe
        
        C:\Windows\system32\Jabponba.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\Jbclgf32.exe
        
        C:\Windows\system32\Jbclgf32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Jjjdhc32.exe
        
        C:\Windows\system32\Jjjdhc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Jmipdo32.exe
        
        C:\Windows\system32\Jmipdo32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Jcciqi32.exe
        
        C:\Windows\system32\Jcciqi32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:268
        
        C:\Windows\SysWOW64\Jbhebfck.exe
        
        C:\Windows\system32\Jbhebfck.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Jibnop32.exe
        
        C:\Windows\system32\Jibnop32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Klcgpkhh.exe
        
        C:\Windows\system32\Klcgpkhh.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Koaclfgl.exe
        
        C:\Windows\system32\Koaclfgl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Kekkiq32.exe
        
        C:\Windows\system32\Kekkiq32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Kocpbfei.exe
        
        C:\Windows\system32\Kocpbfei.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Kkmmlgik.exe
        
        C:\Windows\system32\Kkmmlgik.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Llpfjomf.exe
        
        C:\Windows\system32\Llpfjomf.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Leikbd32.exe
        
        C:\Windows\system32\Leikbd32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\Lmpcca32.exe
        
        C:\Windows\system32\Lmpcca32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Llbconkd.exe
        
        C:\Windows\system32\Llbconkd.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Loaokjjg.exe
        
        C:\Windows\system32\Loaokjjg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Lghgmg32.exe
        
        C:\Windows\system32\Lghgmg32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Lhiddoph.exe
        
        C:\Windows\system32\Lhiddoph.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Lpqlemaj.exe
        
        C:\Windows\system32\Lpqlemaj.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Liipnb32.exe
        
        C:\Windows\system32\Liipnb32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Llgljn32.exe
        
        C:\Windows\system32\Llgljn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Lcadghnk.exe
        
        C:\Windows\system32\Lcadghnk.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 140
        76⤵
        Program crash
        
        PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Famaimfe.exe

Filesize
163KB

MD5
c2d14605f28a3d0ab941a7b9494c6f39

SHA1
3bb923e805a45b8cb9561bdbe5b16b26e0ce89e0

SHA256
39e48e42ceb55d50d18cae00b3f35c055de546b5dccd0232fc12a79183ce1285

SHA512
2fbe5f262dc6f387e9addf5891c1ff32262e3029233895721d06ff2d6b804b8a57c588c747cd7df98448d7723ed8ba11b9474f6230bbb9fd4596a10aabce98af

Download Submit
C:\Windows\SysWOW64\Fdkmeiei.exe

Filesize
163KB

MD5
3a1adca5e087022e77aa26194258e5ee

SHA1
cef223db9c706b1e77c3273e307aafe0b967dfc2

SHA256
ca67d96b3f2d65a8f0f2fd803246fdca47dfd46519cb39549273dc289d907637

SHA512
9022a69fdb75915c0d00e0472a65e086390ce211bd2277656867673be5e5eccc38c2e63bdf6fc4a8cfce1989ee2233055342ea6fc91eb4b3ce35cac685dbe66c

Download Submit
C:\Windows\SysWOW64\Fgjjad32.exe

Filesize
163KB

MD5
32d5e17448ea835ce449733deb13f7a0

SHA1
fbd2033aca98a7c799a12aa77bf9f7f21165bb46

SHA256
d4ed8281b26b2ffc79d7d6a5458bf34ff458b6eacfb453c37bd8551ac2e28fc6

SHA512
fae21839f8e5e1b59d1d1db289e149dab105b6d6e87b5833dddd62c747a93fb5b6805f0ad974637f959cbf385781bfde73b070b80a60fbae8c5ebafe46e086b6

Download Submit
C:\Windows\SysWOW64\Flnlkgjq.exe

Filesize
163KB

MD5
09933a79661a034d6f7f61e13583483d

SHA1
0299e0c929d944c34406d803e1edca002b436070

SHA256
eb2306c998f16d7bfa844da9a8494ad7560c6722a74dc70fe61bd8e70bbf4124

SHA512
6a66a08fcec69442f8e51a9c70e04261fc32bcdf53745f61e6f2f472a9a48fca84c0685cd0c5d0b6cb572cd0aed60a13016b3bb02745d4a118971424ed4a1ff8

Download Submit
C:\Windows\SysWOW64\Fmohco32.exe

Filesize
163KB

MD5
5161a6a142658848e6f3a6dd009b41ba

SHA1
0644ddeca02d719883c1465480c76374cedac018

SHA256
f85540f1a4a7940c92dfe77c800a23e6ab55ffbdaf568187822c72bddc74fb46

SHA512
c09304d7c3174ece1622205d554439e5418ef76c5496fbd95b3a67e091eef4c10047b53179af4cdce7e19b1f418632b676b6f05589bb20ac0741c94598896ce2

Download Submit
C:\Windows\SysWOW64\Gekfnoog.exe

Filesize
163KB

MD5
d1b895b53fd8e134feb4f052e3e958e8

SHA1
3ace073e5f36f21ee501276d337b23121509b1ba

SHA256
736d2f2890063d2efd28301a35a6dd70f13ef10964497d69cac3814316c3250f

SHA512
fc21a6c220e39ffdd74568664c4c4109c3e2eb0b5d493b5cff390ff18961373776b1078b515b05203f434b16745d495e7a660860c25d6ec7ab047469c40fa2cb

Download Submit
C:\Windows\SysWOW64\Gglbfg32.exe

Filesize
163KB

MD5
16f0358c0d251878953da13152c5947f

SHA1
386e101e3e1ea6346f40daa0e126aaca663fc15e

SHA256
596bf9cf6e8324d7fb98691a88e651f179baa398f093dd254043394c98dec22d

SHA512
b7779fb81f83465e1b43679ef1c5929e053ea244e3063c76e3dbf94fb9a4b9ea0262d7fcc7235014c6780ef2470bfa3770b66e8de67c98ae9a94994de1a74e58

Download Submit
C:\Windows\SysWOW64\Hcjilgdb.exe

Filesize
163KB

MD5
105f011d4f5870fcac62d5bbfbab3bdf

SHA1
365be8491c822d474a1888abbea23d1e88299ebd

SHA256
417e1af23f001851283f0328562e9843ee06d467a75df9b0b300f25194d4881a

SHA512
bc6032a87b0c988af5931f051c20d1b12aaee444eab0ee8fd544550858e052752000cb553a89e4c1166e4a06c50a65daf439f8a08e7fbfa610d2535c83f1ee40

Download Submit
C:\Windows\SysWOW64\Hffibceh.exe

Filesize
163KB

MD5
fb80eca79a8c10fd4bd20aeb0c4b973d

SHA1
bf46fcd67b0955fbfbcf61c7604f024dd846f915

SHA256
a5f7e3760ed7cf5596ca93bf175d8c385b2ebbd22b4d1a060dec22c613723149

SHA512
0c824f475761b242b8670d359d9cb42342b522be2858c55e75c2880f505bebeea706264ab1df2f783ab1a796ef650320935447e63febcd3ded478aefc6b4df21

Download Submit
C:\Windows\SysWOW64\Hfjbmb32.exe

Filesize
163KB

MD5
fa328f595cffc65c5ef886fd7c73daed

SHA1
631ebd5147c1b6ef95dc120c301537acb31d6e2f

SHA256
623da1c142a60be020740323ae36cb12d10b19548da25d37307816160fc6c8db

SHA512
5339f9ebb193279fb5c89c850dd7615de6a2056f2f208baa76d7bb4cafd455f6694443fd7c72642b440d215c7e9b79622bcb40a5a693d003360005bab9ce6e8b

Download Submit
C:\Windows\SysWOW64\Hjohmbpd.exe

Filesize
163KB

MD5
176940564cdb7f72d1473b9ca6e808ef

SHA1
8012bdaf9e32c38ee85a72e5a205e03c85330668

SHA256
08908f0149c6f10d7806fb08b60d78fe57c63b8f04351303e5819183ee44df15

SHA512
75217416ff1b20536a8fb3222e50ce08f7c9bd5c0d6f40ce6eed1d3baed6d9446ecf7ec474ee0a1ba993d50a6ae952a7593a75868b8e8b3b038e9df8e06b7ff2

Download Submit
C:\Windows\SysWOW64\Hkjkle32.exe

Filesize
163KB

MD5
6c92cb2b75eb7e392762b2708cab63a4

SHA1
6ddebf46d2cf8f3700d1c9756c9d86e7ddec4020

SHA256
96ab201cc35be1c9396e73795527972be027c768301142e3ee517c610cdad3d1

SHA512
05e6f403786d86847f93c2d3d645222a8f5d7c4ae6782a57d505c61e2f7a60c100d4697895bb881e1a984557c3c299de4f30600925d73a65af70a7e972cf1453

Download Submit
C:\Windows\SysWOW64\Hklhae32.exe

Filesize
163KB

MD5
4328cfebc15a006a87e656e43217dbe5

SHA1
5ba9a3db10c8b41a053ae35e6bd45f2cb9a972f1

SHA256
bc4753d289ed2947ee7eb7fecf179211bcab1f7764ee54d07d3626dc6b07c6a2

SHA512
ffbca46cf6589b98582e8a2606ec450462c7e2538f9c23346c90cb2f027ce4cf5e0b4bc78dc5d9fba5b3d6d5825a2ac40626a1ed32b1e79513cc4b513f1b97ca

Download Submit
C:\Windows\SysWOW64\Hnhgha32.exe

Filesize
163KB

MD5
f31322d1f7bc4a456a8c74a833bb3c06

SHA1
7eaca1ad55255ceda08c30460b112f96f6a5af79

SHA256
c02d06952a384989ac077d7f8955060ea2c974d66a61f439ba5734ac109f561f

SHA512
3c950ec263740b141cd5c6e42026700240999f616978fd8de0101afe2c2148b7fd9ba8b1c902f18ac9b9b45fcec73c85a71363d1f5f2f0a80bc4df6709a4b7d1

Download Submit
C:\Windows\SysWOW64\Hqkmplen.exe

Filesize
163KB

MD5
678ab8f51d1d2ea532e99abcee6d97be

SHA1
1493489e85964bbae2fbde4afc52a62a57db5a3f

SHA256
e50f1286a44a8c5bfd096533c8c6453f504746bbe229aba4f0ed7aecb198a7f0

SHA512
b197c2eaaa261df7a81907accb5b45926277738237b4510859f817e27c99f6cab098e4112e77a8d4d746b8585d81a6f9b08505042b684dc9b4450d916f3ee862

Download Submit
C:\Windows\SysWOW64\Hqnjek32.exe

Filesize
163KB

MD5
3ab4a40a49cffbdd06b77c02b52067be

SHA1
1f04ff9a2dfe50c0c948a6a9e74d85a3b659aa1b

SHA256
d14477853e8360bd430f65aed83a6b6ff3d3ca01919f71e62db47a3c820280a5

SHA512
140cd36ecc811af4a06c1ea6a22e8b47f23af5733986b1de465041cb64ce98fa26db40043d3e3b8bd6a16bc282856f23631ebab61489b31da7cdc4490b519111

Download Submit
C:\Windows\SysWOW64\Iakino32.exe

Filesize
163KB

MD5
06b3b15c78e75c581ad4f663538c1ad4

SHA1
188d1ee4df3276cae384576f87dbc8ca3e026388

SHA256
6e35fca1ae1e394b66e65c646056a3ec6f11faf78e37c18ab704333cee8365a5

SHA512
73ba39b891400e8b67a671df4f615ddd52129ca94699a44fdf117a3f81cb101da7a61d6b7d732841e9b34684fb02744296f87abd3fbaa5fc798e9c7c24214c62

Download Submit
C:\Windows\SysWOW64\Iebldo32.exe

Filesize
163KB

MD5
4034c82edd38307a34b79ea84d5f10f0

SHA1
06c91ebfc81feaf117170a438cfde409d76af33e

SHA256
ac168339410ec95e6d0a63115aa1ac504738f2aadc551547190f70b950b94554

SHA512
b1f2fbb00325e103aeb40816d9b214ef82a71da69a994dc47f421a68925aa83911e736d765a9aa647cdbc6d2d843f070cec8f3d5e8683a5f8ed0b09717b32a69

Download Submit
C:\Windows\SysWOW64\Ieponofk.exe

Filesize
163KB

MD5
5b4a98323b997ba1da912778c47fe072

SHA1
e72f5a64cd364fc253bb406368e751e6e23d86e2

SHA256
323cdf7da959f91fd192a24af85253cce7888adc620afa037fac5cafac42c752

SHA512
08f5dc0a01d66a16858669c19c008d0e007800226dd4917e422bb245c8c41f57c867e19683258dbf61cd985e0a89c615bc90868e853cc88fa05d4e175bc8bb7a

Download Submit
C:\Windows\SysWOW64\Igebkiof.exe

Filesize
163KB

MD5
1e7456a67ea7ff6973db4b5371451be4

SHA1
9a15aec4364fdc24b2afd7243e00cc82b7d47af1

SHA256
74b576235468407c40bfdcabff4926ec5da552137692cec8be5991503707fbca

SHA512
9dbc81e52a21096958ac60a8a878561cfb1db6469c05ef194845fe5f6c44cfd678d395f6da94c8491b3277b0c44fce85afdc0eb4351ac5bed90222a0b4712758

Download Submit
C:\Windows\SysWOW64\Iipejmko.exe

Filesize
163KB

MD5
a2691e005a988107aced75b3d39b5157

SHA1
4af92d12e1ec35f414f0507b54b7502e14100303

SHA256
c6c48d384bc8d314cd7e5d2ba983b74065f12462f7b287409d8ee84a02870f1f

SHA512
45d8ab50f27668d1a154e0ab2e1d8978410c4e6f19d96c142848cd2d2d94850d6be3b053250b25284b83895994c63c3e94fd3b250eb624f7541c4eccf69bb6c3

Download Submit
C:\Windows\SysWOW64\Imbjcpnn.exe

Filesize
163KB

MD5
927fefe49c085db698dc8b4afb5e4f4d

SHA1
a88b73b4fa1e3a76b58cbdc4a5582295ad840ffe

SHA256
19df3394dcb9c949ca98725ab79ac6d520b51ebc53cdb9a72d8edc99d0d8186f

SHA512
f3636617d6be9b12c4a406380c8957df871605d514674cda034de970bfd3a51b162edc5b3d0a075d4af0971e962b68c7f655f4da6cb1d599a63624de8ca96143

Download Submit
C:\Windows\SysWOW64\Inhdgdmk.exe

Filesize
163KB

MD5
544fbc24d2dccf2b166a28efc3b219e9

SHA1
6e7b54663a62d38a1d19f189aef5bf341434d267

SHA256
4c0d692f4b6c49327ec4eae14cb4f4afb80995af6f4aa146c57ccc612cc707d1

SHA512
dde873a24eeed812c0ec751caad1c79e09d3c46cf2b79e570e3ac1f80e8e16ed55df1829bcfbec4aab2a3b73404ba35ed22de0b5c875dfbbe311c15bac514863

Download Submit
C:\Windows\SysWOW64\Injqmdki.exe

Filesize
163KB

MD5
6aeca45146e7954f4f3f9944da13b40b

SHA1
1d601d78f0e380b26a70f8fa4e855217232d35b5

SHA256
bd959c24a3392b9738205086d88d15f4fd436818747344b4dfcc4f443df31ee9

SHA512
6493c1b42237f3ec3c27f0a850f79603dd6c4d80dce0a3d106fbd42112bb8ed7853460e091215aee2140fab361c53f089e4abbe66ccfe62ea532944808971199

Download Submit
C:\Windows\SysWOW64\Iocgfhhc.exe

Filesize
163KB

MD5
48b28a063be61758b3d572e0a2fbac7a

SHA1
89b8c918d9bb2e38a660645d9d4e053f6e411c5c

SHA256
0653a4b5405fe1807c19d11ef0e812c373212b0af9697d54e61818561ec10c23

SHA512
bedda1d3eedc2de5fce0a2a82b43deebb429c70353cf19ab9487993ab6c07c283d0b41045c5141148a372a8f94301ef56259a9861831fdd4e9c44268567df925

Download Submit
C:\Windows\SysWOW64\Jabponba.exe

Filesize
163KB

MD5
353f41b83c45024d3bbe6f412a1ae200

SHA1
3df0d199cc0820b19e2f94bb3f7c6b836bd1d991

SHA256
2b6b2a257e25e49a7ab233e586fe6fab32fe54ee8a011577a431139e38a49479

SHA512
498c65bf469818c6e652894d26a18064f993f2617202b8c9c937ade076b43df3bdc1c1fbf606cc7e7a5bf534e8e8c1bda05909e970eb9a6e2bfc17c576e445bf

Download Submit
C:\Windows\SysWOW64\Japciodd.exe

Filesize
163KB

MD5
71919c1297181fb8f2d56c1e8e59db34

SHA1
4a7870d130163fb93104553215dc326c17272465

SHA256
77932cf7889aa081349e5f1a95f1fb7162936140e99753aee3e66fcc9d466d3c

SHA512
927ba974f4da09eb0d49c15ba76290f1513e78a7608ed31ff9c078f1d17d0ada0dd96b54435a943e6f37fe22cbcd9689b0789f2b11ee507145cc1a93c396e992

Download Submit
C:\Windows\SysWOW64\Jbclgf32.exe

Filesize
163KB

MD5
4ebcde5e69f760a35abec7552fe3b581

SHA1
3a4b28892a6057e84a48b93200551ef995f0733b

SHA256
c72154cf14cecc4752cc4a08628c9e658551db2e5ff8c5a236c2091b2d5fed5a

SHA512
cac348b967c38b50dc3e4e66a31cc063b74e6cc3d1dd0bb40b7fa092eeff4d24a8de52c9872d4cf8851b2eb5cb9c7ad6782994dcd996a552cabaee0f4c4b250b

Download Submit
C:\Windows\SysWOW64\Jbhebfck.exe

Filesize
163KB

MD5
710743d808d8fcb35befa595963cc058

SHA1
5beb9b9858b1a9450ebf8d3c8b8995fa7dd1021a

SHA256
6a0da90cc70f3958f3b3293dd0ea5dc1270b804edfe0fa1eb23abcd111cb36dd

SHA512
42434d66cb56b53a7fe91169d322080f886f0f8deb214642b4c69982253e41b3d3a34d34be559e446b473b4fda4976879d2412410f4102bbec56d6952ee9f7ef

Download Submit
C:\Windows\SysWOW64\Jcciqi32.exe

Filesize
163KB

MD5
8d9fc6c8071445ea5efa6045decc0778

SHA1
2ad99a7c08f84e6eaaf9ae3bdee530055dda46a7

SHA256
8e001d7987ab170ca51b2f2d75fd312fdbd88f5bf071cd22367c8ef4fa151d90

SHA512
634b047dca74bb23fef66e83f5f4eec3ca83197887b38842945cde82dfd47ca0848266f0e8f619b5238037d49f602f834514df29795d162f6fde736e951dfb51

Download Submit
C:\Windows\SysWOW64\Jedehaea.exe

Filesize
163KB

MD5
1887c9a894600eeab4c73f4b38dae4d0

SHA1
7bf51044b5ed698e49f2b652837f32795e3009fc

SHA256
6d677b58fede94fc70dd4f9c854cbe92c1904ca1130c0c3abe7cc5f5419ce137

SHA512
b852888479f8a176843ee18e5debece9d8f8a2a0e3847a9bdcb32e2b5816d9e7ce5e8d6a5ac0ab9cb4cce72e5940fa97b3bd85f6fc99f876e1ca3b003df626cb

Download Submit
C:\Windows\SysWOW64\Jibnop32.exe

Filesize
163KB

MD5
8394d4912292c8ef56da55ab4eb235d9

SHA1
9e1d9883091a3088596e722a0d53e3233b4e6a72

SHA256
e944753751d2bcd77bd62cee39f6c6832a12106a42b7d4d0cf8b75dd69efd4b3

SHA512
1ded3cea436cd33f04128316e722d63966e59214a178c72ba1bf64c5d17a470b6db29a5d277ec6e1c6d5691676bf0c5f88a5e725bb543cd482f9523db1d9bc17

Download Submit
C:\Windows\SysWOW64\Jjfkmdlg.exe

Filesize
163KB

MD5
db6a70a983fb22c78904385fbc3e16b6

SHA1
b76e2242be1aff412642a8bc5c22e5490791741b

SHA256
92236a97eddd20869fd6d4892896c6b6e1d4cf1ea4ab80f4600313141d77f638

SHA512
2d52789f8894bf92a0dd6e706335c305c0e4a25e61c9e853325ed9c163bbb4633e7a1843cc00957b376e6d79dee4802e0046ddcdf2356bb761d3e095802016e8

Download Submit
C:\Windows\SysWOW64\Jjhgbd32.exe

Filesize
163KB

MD5
f58469712440e966dc1ad3ee8c80e80a

SHA1
cd2e2663268b159895d193ad8720701263273483

SHA256
18c8e6a99107b83e2229ca628c99f494a2e8b05322eb2d77da4d4bc7b4d0db15

SHA512
936da9593aad48cdc08b8bee6e3c19ad0ce36575c973d973161c133bc127aeef8f6798aebc4f9828aeadd62cb096bb5b32955ebbacf0b82b904a1d15cbfe9bf9

Download Submit
C:\Windows\SysWOW64\Jjjdhc32.exe

Filesize
163KB

MD5
f3d6d623284082a827308576eb3fd2e4

SHA1
bc922beed06cebf5f4a9b8d1f4241335cfdf0c16

SHA256
f5c5103718629e052a1af1b9421348df568aec306b749f1494270cf3f3b6919f

SHA512
c05360e180d4701b31f803e604561fb1070c90395d1ef36d0453c1e343d7a1be8c8620a7cddcf05caca9d00475b891932f1194f806dada9d5694c9c8e5cde840

Download Submit
C:\Windows\SysWOW64\Jmipdo32.exe

Filesize
163KB

MD5
eb00d660e6468c50f94cb5b4e09eac1d

SHA1
8d8786110e9d008dc35ebc50ad8641344a14bb27

SHA256
b5a10ee596a4c27b1377c577277740cff964a293456aa0cf9729ccc6b93222d0

SHA512
3c3efa9cc40af121a603efd96103b6786d2c5c97ebb3b8443b44b7cdc3640075fcc11b63dbf686285ed65c02096acc8893f982c1d302425980e7d730d7cffb32

Download Submit
C:\Windows\SysWOW64\Jpbcek32.exe

Filesize
163KB

MD5
bcf2316a756ab7715e1177696bd8e961

SHA1
f8c3a9c7e42cfc9721bdccd912d9bf1cfbfb18c2

SHA256
29ae8dce2e3bf17381e274fecdef3ae5ac0801ccb0f200b5a275cb07f0640a5c

SHA512
c5445fb20d18d04f401ccbaf3d11a8f89109d886c3ce1e535f8808ed9b605af7a1e6df75bc50a85a9c00d804648eb3380a4f05b49463e2fbdae0f65f47b32aef

Download Submit
C:\Windows\SysWOW64\Kadica32.exe

Filesize
163KB

MD5
1f2e0980c9f13618c73e6b0574d81ccf

SHA1
5b9c97764837210113eb84a68e880fdf992528f2

SHA256
e032688a5e9c0e5c6dc2fa647301927c604f10a423a5d53d5f2cd414ef6761f5

SHA512
87dfc4b82c71d4270e8ae738ed2216334556b291f1e311015659fae0beb4eb4546f8c4cbfe8afa664a7b7608ae0a6531e395fdfc11c6ad0105fb7f7b821cac5d

Download Submit
C:\Windows\SysWOW64\Kageia32.exe

Filesize
163KB

MD5
c00e9e537e6f76ca3e49294be497ff74

SHA1
5b25d748efe2b881cdd6201402ac3dd840a6156d

SHA256
e782d407ecab31e10530470aa6df6ef92551b90e2fa4fdd7813abbabb6552b01

SHA512
1197d94aee47648736a79efe99661efab86d40e232ee6b52c54e63ac7df269b3eeebb63572ae03722b18f20ee4b60fb059f4572716cfa7908c0a59de4c7df6cf

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
163KB

MD5
02b049740dddd52f175feb9fc3cdf13b

SHA1
3ff640bc5cd3b871ec6bc55e8ec406a8b77f7905

SHA256
501b48efd299edefabd7842476633f27640380ad23b3fa499182f7298bb01512

SHA512
403cf7a0a53b3a608d727e9f082963c64706d96eaf30bbc12994fa45e75bb0a6c5516768fa5efa03a0ab81d9b11adbd1edd845faab5dcb5e160de895b7eb4e30

Download Submit
C:\Windows\SysWOW64\Kdbepm32.exe

Filesize
163KB

MD5
5eada3219aefdafcdc05dee83448d506

SHA1
484a56bf970c371c4616a212b5e1e1a5ec66db8c

SHA256
b67604d46fc0557db486e8a15f5bc56a13a4161a6c18776e1e867d867574eb25

SHA512
552d316f1cb7f1934f15c9fe8d38d2356cf13e785662d511f387f80e3a78c12f653317452f6c9593a68e3901f92107bfa29ed0587c35132483d73f4266072939

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
163KB

MD5
f29de6382838877932b13c1a43eac834

SHA1
4b478d6e0d76de8ea556c1b015789d1cf83a15f2

SHA256
32172f53f0b0415d5c4056730594ec7a1acf592a73723991749f2831dca164dc

SHA512
e5021d636cae6dde3b9dbdb1d688975831a9359cc356e8b5b8e7567ce17980082cdbcb570b1f5e8da935e8e1692045cbde2f1a34be4690eab12e60198df098bd

Download Submit
C:\Windows\SysWOW64\Kekkiq32.exe

Filesize
163KB

MD5
fadf852d1e7cb3c9dd29d063a861dfa6

SHA1
0ee156a66e7e7f94787f1d3abc21dfb4cb160a86

SHA256
9f927cfaf048006478783df585c6b721bae8e0453bf22108979cc6491e6db4a7

SHA512
455f3dbbd51e3be8d65d72e50f6a0f1f204f24df63eba76de3021322add8c8a8db213f0359bbf7ee7b9e30383baba50658d64a439b7abbec70a247ee4ccd064e

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
163KB

MD5
f1fc011bb3f21f021ea31b6f0a378616

SHA1
35859cea701a54fba48342239a47ea2b9d53b09f

SHA256
557aaaf1f403f45041fc18cbc7fbdd1230b473b5eb98ad5990a2a56989b7f883

SHA512
61d4d11166709922bd8fe8f76a1ec865b64b1fec003e05ee85527c03c079733e948575ae8f5778ed83ea519420a7b05c9386d8fd902c9355d8ca80f48f84296d

Download Submit
C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
163KB

MD5
b1b91288c04b7d943ebc080a62600ff8

SHA1
4b6137f79993df64533134e111175a25fbf3ddf6

SHA256
21ef2a7c61b1ffb4359065d3ba521dfc800a24627755b436aacdf741fd7840fb

SHA512
a6baacbcbb973836186fbfd214e881bd092bf4b1a13eb52a1b197c1273a81e4c0753ca2e0ce61c48fe5e5ef96fb9206e89748850fa3ee5f0aea75a00bed6fa80

Download Submit
C:\Windows\SysWOW64\Kkmmlgik.exe

Filesize
163KB

MD5
17848c13229115f0193fe4f99d42a91a

SHA1
08c50d7edad2684a8c0164299d7ecc7bc63f4e04

SHA256
f521faa6321fa7084cf77fa41bd6b7ccb1480cfb461cde522bd69a761808e4ae

SHA512
14d9ec5301a8655c1ea668ba21e5270df68502e9d66f83de6e7ac71a222047ab13e1cf830fa5c140c103926060e7c6d5c9766e23adf1b65ad86aae271ffcdb7d

Download Submit
C:\Windows\SysWOW64\Klcgpkhh.exe

Filesize
163KB

MD5
d45dff05f67fc56272ffe2646dd7513a

SHA1
e358476636c0cab232540d6b9f2fe641d7e5dbb6

SHA256
fbdbbcc65319db34810f863435e9e9c44d5d0c97610f67495d09897a14af3caf

SHA512
ec5bb6b014a5bf5d309ded78bcb44149b46de557181a3911bcad92b35110ff5114e9d163eca5d10c0e509e337774a0812105d7304dd819b145f72f219b610f6d

Download Submit
C:\Windows\SysWOW64\Koaclfgl.exe

Filesize
163KB

MD5
11024821b0d35272503738e90096ef86

SHA1
1c9673f8dc7ae1223ca3bf35bfa50d86de09ba07

SHA256
bfb5507036e2110ebaf827c99d86c16aff9a86f06a70911c1a5cfbb8083d5f72

SHA512
62626e0f4442538207a67f3265a1d861597d2b657ae9484895fc32ed23db56d8d5cdb15a7deb336d40b9b8bc1c194f0141e00dc5d1ba5f3b1ec311a48b0ce653

Download Submit
C:\Windows\SysWOW64\Kocpbfei.exe

Filesize
163KB

MD5
d6b84bb4b9b29fdf43fa2bc87818b13b

SHA1
f0aac1b93b33dc277bf887c9e804239b30639765

SHA256
206ff57a0fb071e8919932da6ea871d4deebdf715476630287f626f411b6ae08

SHA512
fa43c3176bd2a5e98505bed502bf23f2feaa1248a459666129fb580c00c98ae1bcc74ab0683887943c8d057d3cb42eac1bbf2034c0c3a21a25ae35723e58f5dd

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
163KB

MD5
7a9c91f72bc0e5e667489dc8fc2d8d00

SHA1
36624c2b7e7a6acd84001c3cff12d4268a5de72c

SHA256
1c89af3858a3bdbe68946efb6cf135ab98063caa790593cfec228f5936a5e673

SHA512
23b00e743ea1257ef52121863a91962bb457e539e283fa5db113e4b7998596d6e6b6e34f30351c16b6fd6be76d63cef49bc8b405f7cd87f3495caf5bcfb77f3e

Download Submit
C:\Windows\SysWOW64\Lcadghnk.exe

Filesize
163KB

MD5
6d5ccd7dc506dd5ab7240e0784d5cee4

SHA1
b05940bad77edffd384c1acbdb77b97563e9ec68

SHA256
db9ba2a483c08574d964fc734847761f6e8730e217f25cdb013b2e1ccc33f2db

SHA512
62dfd97bf180e2dde8dc1bf7e533bd3edb9eaed6cb65c5fd18faf3ed3989bb7e85ca78e7cde70dd5f67b0f864a7ec2567fb2b93afbfa07c6a208ffbe5887da79

Download Submit
C:\Windows\SysWOW64\Lcohahpn.exe

Filesize
163KB

MD5
2ccc4df611bac9e54eadc6f935353643

SHA1
5dd3e9a1352b6a69714cce6830fb7228fcd1a14b

SHA256
c5f10ec947c8acedb9ad64ba8ec027b8e5afc0419616512c8916dedffec61be2

SHA512
cc2a8f40f01fcb120c5b45d009a179c7d9d9dd9638e5e4948901a05e559278f81753eaf71e0298aeac80600b08833801384291e9109514be617bc81f67001198

Download Submit
C:\Windows\SysWOW64\Leikbd32.exe

Filesize
163KB

MD5
785f55f49fe05d9a9d1daf417bfe8fb5

SHA1
3e88237c9c00ba4374e631da1493b2cdb7fd0723

SHA256
745c0335cdaeaf2f3f823279685c60bd4eaa6b2040c631a91db5b38f13852d58

SHA512
425a181e2d7be131d6a254cabbabfb1c3131018d5f93f43b4b6e2931a40863bf74d500328d30e49af849d72daf058a9e700a0226c3c7d3faadb1f89db865108f

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
163KB

MD5
1eeb527a4080d6fc1360a96e7afcfa93

SHA1
2dc763804626e7e7267db03d37016effb78e41cc

SHA256
e67ae0591dfa8f68fa868c5ece3f0033f28a44561f11e49abd6f4874f46a483d

SHA512
e008c030664e22d6fee905287d25a64b7a20886a4d5b36e814178025f1995fe2153b29a7dbf2c10266583018d3a3f22684ddfbdf119ada0fc8a618edba41171e

Download Submit
C:\Windows\SysWOW64\Lghgmg32.exe

Filesize
163KB

MD5
e8214a9ba85b234a4ce245a6ef8705f8

SHA1
bc9cb89211d63e94682d42bd6668728631dbee39

SHA256
08fa6b4502842b9fcf85b339f1e9964b1a7eca8f27b993a3a02011d96af816b4

SHA512
0a5a444f7712fd9cfd71703831c5be1b3b3f39787d664180a764e8b7eece56a4fab14f60d4ee8b9408d58257fb310058a1bfe64a7a67758ae0624174d55dafcb

Download Submit
C:\Windows\SysWOW64\Lhiddoph.exe

Filesize
163KB

MD5
bb35725bced1f722d45017919390c939

SHA1
3981b39d8d07bec7a7293aa2d965f85506ecbdbb

SHA256
4691facd286b962d8f9c9ce444950db48002db6b1f17dc9759a393bd1403899d

SHA512
60d94b90e5e4803ef41f1516fcc36efbd893e4ff7fa16822a8d68b9e9ae23f961d09069943811635d51ca1bd0179e1a99c8eb6acffbd2d1f7ae9bdc6a84b3819

Download Submit
C:\Windows\SysWOW64\Liipnb32.exe

Filesize
163KB

MD5
a16f23f93579435d950befa73fd4fa9f

SHA1
f03fee1fd565046ed29c8997009343add94acd71

SHA256
e55f127757b79cf10c5b2e4436db71f13e76c60cd8429d60b2b02261808e35a8

SHA512
e69f2b594178bf618930d56f9d8f829610f451c031a143a2831261e73ca1253359bc265770ccd499c930dd9bb54cb061d78d4eca5e8a9670d59c4ea0c3616850

Download Submit
C:\Windows\SysWOW64\Llbconkd.exe

Filesize
163KB

MD5
3e97a9ac7a765684a59d1dcd569f851c

SHA1
3f4e8d9fd2e782c61592c4ad7716be35881ad0d2

SHA256
216883841494968d189e93f3aedfa97dd29513a538265c7980a1188204ecce95

SHA512
c14a5a01f56ff1b2369265444bcfc69d9fdfcac783ba291573f37c116c386981f2411c626b6d1255f1520ba466f55f8e328e0ae16193894a97a0bfb8b64cf948

Download Submit
C:\Windows\SysWOW64\Llgljn32.exe

Filesize
163KB

MD5
c64efdcad297fea8aee568164f269d2d

SHA1
f999329c2c004e59c8f0484e6e6608c84390923b

SHA256
ecfa281e44c2c3ec6fc75af196db66b333a27d2b9a2fa8ab7fcf5ce0dd540aec

SHA512
caed2ddab5993796ba0d99a845ada1983eb9ecbb9880fb3fe88a3eda4d4558e0af4170925f8c035bc4d7ccbc66bce83c468385d46190a34a319aafa46dad4c7a

Download Submit
C:\Windows\SysWOW64\Llpfjomf.exe

Filesize
163KB

MD5
0bd0ea3641484a582c445d9414a7f748

SHA1
7523957d37c07f03925884629425e4def653ae43

SHA256
564117bdc4141a618f9faed3984738a897cc517611ae28d93957172c0f2367fd

SHA512
7958ba907f0da93a117c1c0f2f81e433e5f0402f66f8149c65d6e356af5e1200c928fc7539ba9214e44c622ecdf88e80ce542438c96e061e383f46907b76b48c

Download Submit
C:\Windows\SysWOW64\Lmpcca32.exe

Filesize
163KB

MD5
4de3f965b1e6d1399eb46ef404092654

SHA1
f6f6643bc665fbb0ecb4a8e31e11ed950b8a61eb

SHA256
ced322439d523658ec738d4c3e553891bbef107c58c5dcada4ac75dc76351906

SHA512
b617f1291cc4a00259752cd3ec2c91b0ec6f502331699506031cee19226a556aad6b1141e627f7001632c2796aa392efe8af9bc1788b0c33e5afb69fbc58ebbd

Download Submit
C:\Windows\SysWOW64\Loaokjjg.exe

Filesize
163KB

MD5
750014246501fc3253cfc4380d6616b0

SHA1
462ca3759efd83d1368e005c25a822aab041996b

SHA256
4dd9f2d92970280ae741d70fcedbcdfb6c06cb432432f1e931b5670a00654cfe

SHA512
7e88a0e2f7ee5af35812e8c93cb80ed03668a0086202c448b9977ca4f5a28454f0e4171a79ddf46a449912b94e1719a02cb974e546de379f1789fb3550eb6929

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
163KB

MD5
97b5a2136417245293cf005305f5f671

SHA1
78779be02cb91d2abfa7a7fae2767aa47b2ae1a2

SHA256
83f91354fd5bd29ce166b6d39f07b3c966dd3153d64f41ab24d5744ad22e4668

SHA512
5311b923b101e98dffca461a2edc3d44e0c0a473ca611a5285e0c690087655c63524c72eaea78351b9658a927af4e3a39d204a95955ddc7caac32bd684a79276

Download Submit
C:\Windows\SysWOW64\Lpqlemaj.exe

Filesize
163KB

MD5
dc866b5f227182e3b15e310dd411f24a

SHA1
8aeeea92b22ede39323e41f02b8257678aca99ea

SHA256
1fba7925bd40f8511abbb33924b23fecda778818224f38bbac35e19f6208401d

SHA512
29da8b67a2fceec48686ac94d7379240d545be77a986ccc851f2d4ab36c307d6583eb0a7b9a44fc0dccd6e52ea28cace9ea5d346a80d8edfae7266c28a842194

Download Submit
\Windows\SysWOW64\Fakdcnhh.exe

Filesize
163KB

MD5
073145befdaf7ebbbeaa9e7f1e161079

SHA1
d092b3ff98c31276b0118174be791f059af870f8

SHA256
d5f59ef06fa0f828cf2082114c777556d9b8db74662f03e2c800b4c05bfa7b8f

SHA512
8c66fd9586cad3b34cd05caa65d4ff9d3bd79964b433693e7c906e328deba34b5a364ea7c79691670dd72955280ac837e8d2276422b360c5dcc0150efa5c8129

Download Submit
\Windows\SysWOW64\Fdgdji32.exe

Filesize
163KB

MD5
0ba12e75de22bf18432834497d591838

SHA1
8e77400d798b48f340d44811072cd249ff9887d3

SHA256
021c84590e6ecc4ad53341126543246aca07c5469a56562a2d1725ca1ededebc

SHA512
02f3c8e0c05d747ddfbb503b1c0af607686e0c74e4e7173ef97dfcc8a4da67a163a02579d2f775b4ca396f20803dc77111c1a00fb119eeca576367a174522394

Download Submit
\Windows\SysWOW64\Fimoiopk.exe

Filesize
163KB

MD5
daf117bd3a7acfa5d15eb26d9d352885

SHA1
a3356a8b3b2c0fa5ffcf7bcddb7ad5e51a60104d

SHA256
dbd7a8745cc2e1d35d05633bf869d40f7527aac2b6690aaa333efd105215f300

SHA512
840b88981f931e635216bacafe6c7e3dc2214dc9bb8e518d0f1db1712d1655f2e00c29d0a7b6986f8e416bb6bedeaf322da0a0dad91222d3f9c608829cfa5980

Download Submit
\Windows\SysWOW64\Fliook32.exe

Filesize
163KB

MD5
d66958529efe4717ea9a26ef2fee2b1a

SHA1
8bce83050729d0f3da0dee7a855c04cd13eb08c5

SHA256
fbae4f23df1040b45da5c1277aad9c5fd7cb009eacb47b28b89af536eeba52d4

SHA512
d8a51e88b2e54f921a7922540f553407dd1e7c114ab3cdb864482bffcf614e65f0e1cdc6598e0ed229731585c16a18ad78e1317e096c5fce65031ccaa07f165b

Download Submit
\Windows\SysWOW64\Gajqbakc.exe

Filesize
163KB

MD5
863004b44e1fe7a20e7be0d0b01de3dd

SHA1
8bcdfb983a23a5edc3a4b770220e8ef2a44e71ba

SHA256
272bbf30c83b39d37a981881dd587b8b3e55aaee371040b4d942f686c8166c72

SHA512
57d3d7859f4b00a16a4b90da9cc9986938ac74f5831995e5006e0e040b627ded5cf3cd9118fb760fd1a36cdb61d34f759e159dbd1046e1d029fcaff6f928ca16

Download Submit
\Windows\SysWOW64\Gcjmmdbf.exe

Filesize
163KB

MD5
6e790fd8f53f3b878ddce335c26bcdec

SHA1
713dd2edcddb38ec69b1817c82425720e0dc8ef4

SHA256
e99c17f66edffea15b64e0e402e742de6da3b38fc0163baafbd95e7a763fa7bc

SHA512
ef80aeed24dfd91f816fa2faf11c73ed679468b95f5d2d636d7a5daf39a8437b14c0171bdb8038cf69858399276fb631bec94e2cfe8d4ff828f3291e3dacea17

Download Submit
\Windows\SysWOW64\Gdkjdl32.exe

Filesize
163KB

MD5
2360ae25d319a7e53ed9797bd1062c36

SHA1
64bed9bf91b437a300cae507df338ae224f16cde

SHA256
ba56a68d728034eb063164e22ec5e3e77f28b202baf9f2bc4daf1f541983c13e

SHA512
35a6a85f21091a7b6fd8f1bc8d9eaa2b63620fc9668430827aa31a23ead1db36c6eb44d87f787e679cb82966e67f7beb4d280b22930c91e300117c071994ab4f

Download Submit
\Windows\SysWOW64\Ggapbcne.exe

Filesize
163KB

MD5
be039977f3fe0d52efb4c814d61883af

SHA1
a469528317c32f5d2546c259589755f6b4ac9a45

SHA256
aba97a733b3bf6c2202a8b04e6c1e247ce36db14c4d18405b94d07573fddd1b1

SHA512
d3036ed80a3d585797a4a3eaf80d6ab8f0081467eaedb1dba310ff33b2a8eafb04416e11c407d92ce0f619fdce91ca59a67b3283f1b912f34aef954a34985759

Download Submit
\Windows\SysWOW64\Ghbljk32.exe

Filesize
163KB

MD5
5c59c98de042a1cc7088afa7c87bd3d8

SHA1
b28da76eadf8c955d38a67988075c6bee8e7add2

SHA256
3347bf29827a0515b40bc87187d76b3444488fa6a9b1bd8251e1e819c3e0bc0a

SHA512
b70edf33fb19197dc8b62a1494fb8c8e5c5ae2db07997a31111b31339e7b6dc868ccfc2c013f89ac0fd8b8075b78cc6e711d2da1a2a89d8e0602cdc0999d3920

Download Submit
\Windows\SysWOW64\Giaidnkf.exe

Filesize
163KB

MD5
db3fb21d6d293e07f76b2133fe35352e

SHA1
36178c7f4f41f2ba208e7ad4be7caf90ba32fa3d

SHA256
955ed8591f50ceb2c25e917afe9680637749329b5b52e4b6be6e3366ca3f9549

SHA512
edf65184bce0c94747a72c43d2e094f728b3b7f64331b7d9e9f64be815266512e30c1df14d08b244cbd9e627004da2eb8d562444cfdf8d6da698da44a8988186

Download Submit
memory/268-516-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/268-514-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/268-505-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/800-210-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/800-219-0x0000000000270000-0x00000000002C3000-memory.dmp

Filesize
332KB

Download
memory/800-220-0x0000000000270000-0x00000000002C3000-memory.dmp

Filesize
332KB

Download
memory/800-527-0x0000000000270000-0x00000000002C3000-memory.dmp

Filesize
332KB

Download
memory/904-242-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/904-236-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/904-241-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/984-433-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1052-260-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1052-258-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1052-264-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1080-221-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1080-541-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1080-231-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1080-230-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1080-536-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1228-553-0x00000000004D0000-0x0000000000523000-memory.dmp

Filesize
332KB

Download
memory/1228-550-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1320-243-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1320-252-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1320-253-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1332-364-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1332-374-0x00000000002B0000-0x0000000000303000-memory.dmp

Filesize
332KB

Download
memory/1332-373-0x00000000002B0000-0x0000000000303000-memory.dmp

Filesize
332KB

Download
memory/1360-529-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1360-518-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1360-528-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/1396-141-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1492-483-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1624-415-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1752-87-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/1864-410-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1868-390-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/1920-271-0x0000000001F50000-0x0000000001FA3000-memory.dmp

Filesize
332KB

Download
memory/1920-268-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1920-279-0x0000000001F50000-0x0000000001FA3000-memory.dmp

Filesize
332KB

Download
memory/1936-102-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1944-530-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1944-540-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1996-492-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1996-502-0x00000000005F0000-0x0000000000643000-memory.dmp

Filesize
332KB

Download
memory/2008-398-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2008-403-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2068-297-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2068-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2068-296-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2104-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2104-100-0x00000000002E0000-0x0000000000333000-memory.dmp

Filesize
332KB

Download
memory/2136-452-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2140-384-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2140-378-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2156-11-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2156-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2172-504-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/2172-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2172-192-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/2172-187-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/2172-503-0x0000000000290000-0x00000000002E3000-memory.dmp

Filesize
332KB

Download
memory/2172-501-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2224-428-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2232-286-0x0000000001FE0000-0x0000000002033000-memory.dmp

Filesize
332KB

Download
memory/2232-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2232-285-0x0000000001FE0000-0x0000000002033000-memory.dmp

Filesize
332KB

Download
memory/2292-115-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2292-123-0x0000000000260000-0x00000000002B3000-memory.dmp

Filesize
332KB

Download
memory/2320-298-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2320-307-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2320-308-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2452-362-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2452-363-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2452-357-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2512-166-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2704-341-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2704-331-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2704-340-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/2712-351-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2712-342-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2712-352-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2756-30-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2800-310-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2800-319-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2800-318-0x0000000000460000-0x00000000004B3000-memory.dmp

Filesize
332KB

Download
memory/2828-326-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2828-330-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/2828-324-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2848-409-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/2848-49-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/2848-408-0x0000000000320000-0x0000000000373000-memory.dmp

Filesize
332KB

Download
memory/3048-517-0x0000000000660000-0x00000000006B3000-memory.dmp

Filesize
332KB

Download
memory/3048-194-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3048-207-0x0000000000660000-0x00000000006B3000-memory.dmp

Filesize
332KB

Download
memory/3048-206-0x0000000000660000-0x00000000006B3000-memory.dmp

Filesize
332KB

Download
memory/3048-515-0x0000000000660000-0x00000000006B3000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads