berbew | 554335a67d26622a18a4024b32f37febfc27577acea30c963e2ea36d303add61

Analysis

max time kernel
96s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

554335a67d26622a18a4024b32f37febfc27577acea30c963e2ea36d303add61N.exe
Size

77KB
MD5

55169cdd1a91cd0a2b87fbf4cf6b8ac0
SHA1

2b58e0593a74aa395b6c39909131c48bbc867361
SHA256

554335a67d26622a18a4024b32f37febfc27577acea30c963e2ea36d303add61
SHA512

a5c959b3cbbb187393afc5a3000137e2cd637ea8464d77032289a961f5243c78c9716bdc845b52a274bb8b2a84d5003a8c9804cc7287a2fbf7f38c39d79d7c97
SSDEEP

1536:tytX8OQShsp6yeN5g0mRRvXJphfo9JE2f:1cspdeENNfx2f

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdqgmmjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdgljmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcmgfbhd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hoiafcic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipbdmaah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Megdccmb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdcdbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iicbehnq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfhdlh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehimanbq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecoangbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhfjljd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fojlngce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fdnjgmle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Heocnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkkhqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdgdgnbm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fooeif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckjacjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbmhlihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffimfqgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Heocnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcbihpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoeoidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfoafi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmppcbjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lljfpnjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hioiji32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3692	Eekaebcm.exe
3488	Ehimanbq.exe
3028	Ecoangbg.exe
5104	Fdegandp.exe
2080	Fllpbldb.exe
1068	Fojlngce.exe
2536	Fdgdgnbm.exe
3460	Fkalchij.exe
440	Fakdpb32.exe
2220	Fhemmlhc.exe
3684	Fooeif32.exe
2360	Ffimfqgm.exe
4428	Fkffog32.exe
1424	Fdnjgmle.exe
2972	Glebhjlg.exe
4812	Gcojed32.exe
5032	Gdqgmmjb.exe
1232	Gkkojgao.exe
3096	Gdcdbl32.exe
468	Gcddpdpo.exe
4936	Gdeqhl32.exe
2056	Gokdeeec.exe
4988	Gdhmnlcj.exe
1656	Gmoeoidl.exe
1456	Gcimkc32.exe
1812	Hckjacjg.exe
4432	Helfik32.exe
2284	Hmcojh32.exe
3092	Hcmgfbhd.exe
1320	Heocnk32.exe
3504	Hkikkeeo.exe
3964	Hfnphn32.exe
4408	Himldi32.exe
3772	Hkkhqd32.exe
2064	Hofdacke.exe
4688	Hfqlnm32.exe
3560	Hioiji32.exe
384	Hoiafcic.exe
3288	Hfcicmqp.exe
4956	Immapg32.exe
3720	Ibjjhn32.exe
4228	Iicbehnq.exe
4452	Icifbang.exe
4856	Ildkgc32.exe
1340	Iemppiab.exe
3192	Ipbdmaah.exe
3632	Ieolehop.exe
4976	Ipdqba32.exe
4668	Jfoiokfb.exe
3672	Jmhale32.exe
4284	Jcbihpel.exe
1220	Jedeph32.exe
4592	Jlnnmb32.exe
1224	Jbhfjljd.exe
4312	Jefbfgig.exe
5020	Jlpkba32.exe
1444	Jplfcpin.exe
2468	Jbjcolha.exe
4016	Jidklf32.exe
3284	Jcioiood.exe
4236	Jifhaenk.exe
748	Jpppnp32.exe
4800	Kiidgeki.exe
4896	Kdnidn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gijloo32.dll	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Gdhmnlcj.exe	Gokdeeec.exe
File created	C:\Windows\SysWOW64\Ipdqba32.exe	Ieolehop.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Ieolehop.exe	Ipbdmaah.exe
File created	C:\Windows\SysWOW64\Jidklf32.exe	Jbjcolha.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Megdccmb.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Gdeqhl32.exe	Gcddpdpo.exe
File created	C:\Windows\SysWOW64\Jfoiokfb.exe	Ipdqba32.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Gcddpdpo.exe	Gdcdbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ipdqba32.exe	Ieolehop.exe
File created	C:\Windows\SysWOW64\Ndqgbjkm.dll	Jcioiood.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Pkfcej32.dll	Lgokmgjm.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Gokdeeec.exe	Gdeqhl32.exe
File opened for modification	C:\Windows\SysWOW64\Iemppiab.exe	Ildkgc32.exe
File opened for modification	C:\Windows\SysWOW64\Kdnidn32.exe	Kiidgeki.exe
File created	C:\Windows\SysWOW64\Kjiccacq.dll	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Hfqlnm32.exe	Hofdacke.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Nljofl32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Hckjacjg.exe	Gcimkc32.exe
File opened for modification	C:\Windows\SysWOW64\Hioiji32.exe	Hfqlnm32.exe
File created	C:\Windows\SysWOW64\Iihqganf.dll	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Lepncd32.exe	Ldoaklml.exe
File created	C:\Windows\SysWOW64\Hleecc32.dll	Medgncoe.exe
File created	C:\Windows\SysWOW64\Ipdejo32.dll	Iicbehnq.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Megdccmb.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Mlefklpj.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Fdegandp.exe	Ecoangbg.exe
File created	C:\Windows\SysWOW64\Ncnaabfm.dll	Jplfcpin.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Gmoeoidl.exe	Gdhmnlcj.exe
File created	C:\Windows\SysWOW64\Nmpmkplp.dll	Jlnnmb32.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Lpnlpnih.exe	Lmppcbjd.exe
File created	C:\Windows\SysWOW64\Ljodkeij.dll	Ldleel32.exe
File opened for modification	C:\Windows\SysWOW64\Lmdina32.exe	Lfkaag32.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Gdhmnlcj.exe	Gokdeeec.exe
File opened for modification	C:\Windows\SysWOW64\Kdgljmcd.exe	Klqcioba.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6812	6696	WerFault.exe	262

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glebhjlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgokmgjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefkme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpppnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfmmcbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fooeif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmoeoidl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fllpbldb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdqgmmjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdgljmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Immapg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfoiokfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icifbang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ildkgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fakdpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdnjgmle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdhmnlcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fojlngce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhemmlhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbjcolha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfankifm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	554335a67d26622a18a4024b32f37febfc27577acea30c963e2ea36d303add61N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfqlnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfhdlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmcpemd.dll"	Jifhaenk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Immapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipdqba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eekaebcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcioiood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldleel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paihpaak.dll"	Fakdpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nljofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kefkme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfadpi32.dll"	Icifbang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcioiood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fojlngce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogibpb32.dll"	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fakdpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfkaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Helfik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmhale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbeedbdm.dll"	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Glebhjlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdfloja.dll"	Jpppnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmfmmcbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmppcbjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipbdmaah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfoiokfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifmafkkf.dll"	Gdhmnlcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihqganf.dll"	Lfkaag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlefklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffimfqgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Himldi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hkkhqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdnidn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpnnd32.dll"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kebbafoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmbmibhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lepncd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fooeif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cmgjgcgo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 3692	2808	554335a67d26622a18a4024b32f37febfc27577acea30c963e2ea36d303add61N.exe	85
PID 2808 wrote to memory of 3692	2808	554335a67d26622a18a4024b32f37febfc27577acea30c963e2ea36d303add61N.exe	85
PID 2808 wrote to memory of 3692	2808	554335a67d26622a18a4024b32f37febfc27577acea30c963e2ea36d303add61N.exe	85
PID 3692 wrote to memory of 3488	3692	Eekaebcm.exe	86
PID 3692 wrote to memory of 3488	3692	Eekaebcm.exe	86
PID 3692 wrote to memory of 3488	3692	Eekaebcm.exe	86
PID 3488 wrote to memory of 3028	3488	Ehimanbq.exe	87
PID 3488 wrote to memory of 3028	3488	Ehimanbq.exe	87
PID 3488 wrote to memory of 3028	3488	Ehimanbq.exe	87
PID 3028 wrote to memory of 5104	3028	Ecoangbg.exe	88
PID 3028 wrote to memory of 5104	3028	Ecoangbg.exe	88
PID 3028 wrote to memory of 5104	3028	Ecoangbg.exe	88
PID 5104 wrote to memory of 2080	5104	Fdegandp.exe	89
PID 5104 wrote to memory of 2080	5104	Fdegandp.exe	89
PID 5104 wrote to memory of 2080	5104	Fdegandp.exe	89
PID 2080 wrote to memory of 1068	2080	Fllpbldb.exe	90
PID 2080 wrote to memory of 1068	2080	Fllpbldb.exe	90
PID 2080 wrote to memory of 1068	2080	Fllpbldb.exe	90
PID 1068 wrote to memory of 2536	1068	Fojlngce.exe	91
PID 1068 wrote to memory of 2536	1068	Fojlngce.exe	91
PID 1068 wrote to memory of 2536	1068	Fojlngce.exe	91
PID 2536 wrote to memory of 3460	2536	Fdgdgnbm.exe	92
PID 2536 wrote to memory of 3460	2536	Fdgdgnbm.exe	92
PID 2536 wrote to memory of 3460	2536	Fdgdgnbm.exe	92
PID 3460 wrote to memory of 440	3460	Fkalchij.exe	93
PID 3460 wrote to memory of 440	3460	Fkalchij.exe	93
PID 3460 wrote to memory of 440	3460	Fkalchij.exe	93
PID 440 wrote to memory of 2220	440	Fakdpb32.exe	94
PID 440 wrote to memory of 2220	440	Fakdpb32.exe	94
PID 440 wrote to memory of 2220	440	Fakdpb32.exe	94
PID 2220 wrote to memory of 3684	2220	Fhemmlhc.exe	95
PID 2220 wrote to memory of 3684	2220	Fhemmlhc.exe	95
PID 2220 wrote to memory of 3684	2220	Fhemmlhc.exe	95
PID 3684 wrote to memory of 2360	3684	Fooeif32.exe	96
PID 3684 wrote to memory of 2360	3684	Fooeif32.exe	96
PID 3684 wrote to memory of 2360	3684	Fooeif32.exe	96
PID 2360 wrote to memory of 4428	2360	Ffimfqgm.exe	97
PID 2360 wrote to memory of 4428	2360	Ffimfqgm.exe	97
PID 2360 wrote to memory of 4428	2360	Ffimfqgm.exe	97
PID 4428 wrote to memory of 1424	4428	Fkffog32.exe	98
PID 4428 wrote to memory of 1424	4428	Fkffog32.exe	98
PID 4428 wrote to memory of 1424	4428	Fkffog32.exe	98
PID 1424 wrote to memory of 2972	1424	Fdnjgmle.exe	99
PID 1424 wrote to memory of 2972	1424	Fdnjgmle.exe	99
PID 1424 wrote to memory of 2972	1424	Fdnjgmle.exe	99
PID 2972 wrote to memory of 4812	2972	Glebhjlg.exe	100
PID 2972 wrote to memory of 4812	2972	Glebhjlg.exe	100
PID 2972 wrote to memory of 4812	2972	Glebhjlg.exe	100
PID 4812 wrote to memory of 5032	4812	Gcojed32.exe	101
PID 4812 wrote to memory of 5032	4812	Gcojed32.exe	101
PID 4812 wrote to memory of 5032	4812	Gcojed32.exe	101
PID 5032 wrote to memory of 1232	5032	Gdqgmmjb.exe	102
PID 5032 wrote to memory of 1232	5032	Gdqgmmjb.exe	102
PID 5032 wrote to memory of 1232	5032	Gdqgmmjb.exe	102
PID 1232 wrote to memory of 3096	1232	Gkkojgao.exe	103
PID 1232 wrote to memory of 3096	1232	Gkkojgao.exe	103
PID 1232 wrote to memory of 3096	1232	Gkkojgao.exe	103
PID 3096 wrote to memory of 468	3096	Gdcdbl32.exe	104
PID 3096 wrote to memory of 468	3096	Gdcdbl32.exe	104
PID 3096 wrote to memory of 468	3096	Gdcdbl32.exe	104
PID 468 wrote to memory of 4936	468	Gcddpdpo.exe	105
PID 468 wrote to memory of 4936	468	Gcddpdpo.exe	105
PID 468 wrote to memory of 4936	468	Gcddpdpo.exe	105
PID 4936 wrote to memory of 2056	4936	Gdeqhl32.exe	106

C:\Users\Admin\AppData\Local\Temp\554335a67d26622a18a4024b32f37febfc27577acea30c963e2ea36d303add61N.exe
"C:\Users\Admin\AppData\Local\Temp\554335a67d26622a18a4024b32f37febfc27577acea30c963e2ea36d303add61N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\Eekaebcm.exe
  C:\Windows\system32\Eekaebcm.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SysWOW64\Ehimanbq.exe
    C:\Windows\system32\Ehimanbq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Windows\SysWOW64\Ecoangbg.exe
      C:\Windows\system32\Ecoangbg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Windows\SysWOW64\Fdegandp.exe
        
        C:\Windows\system32\Fdegandp.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5104
      - C:\Windows\SysWOW64\Fllpbldb.exe
        
        C:\Windows\system32\Fllpbldb.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Fojlngce.exe
        
        C:\Windows\system32\Fojlngce.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Fdgdgnbm.exe
        
        C:\Windows\system32\Fdgdgnbm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Fkalchij.exe
        
        C:\Windows\system32\Fkalchij.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Fakdpb32.exe
        
        C:\Windows\system32\Fakdpb32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Fhemmlhc.exe
        
        C:\Windows\system32\Fhemmlhc.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Fooeif32.exe
        
        C:\Windows\system32\Fooeif32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Ffimfqgm.exe
        
        C:\Windows\system32\Ffimfqgm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Fkffog32.exe
        
        C:\Windows\system32\Fkffog32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Fdnjgmle.exe
        
        C:\Windows\system32\Fdnjgmle.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Glebhjlg.exe
        
        C:\Windows\system32\Glebhjlg.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Gcojed32.exe
        
        C:\Windows\system32\Gcojed32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Gdqgmmjb.exe
        
        C:\Windows\system32\Gdqgmmjb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Gkkojgao.exe
        
        C:\Windows\system32\Gkkojgao.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Gdcdbl32.exe
        
        C:\Windows\system32\Gdcdbl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Gcddpdpo.exe
        
        C:\Windows\system32\Gcddpdpo.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Gdeqhl32.exe
        
        C:\Windows\system32\Gdeqhl32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Gokdeeec.exe
        
        C:\Windows\system32\Gokdeeec.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\Gdhmnlcj.exe
        
        C:\Windows\system32\Gdhmnlcj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Gmoeoidl.exe
        
        C:\Windows\system32\Gmoeoidl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\Gcimkc32.exe
        
        C:\Windows\system32\Gcimkc32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\Hckjacjg.exe
        
        C:\Windows\system32\Hckjacjg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Helfik32.exe
        
        C:\Windows\system32\Helfik32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Hmcojh32.exe
        
        C:\Windows\system32\Hmcojh32.exe
        29⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1320
        
        C:\Windows\SysWOW64\Hkikkeeo.exe
        
        C:\Windows\system32\Hkikkeeo.exe
        32⤵
        Executes dropped EXE
        
        PID:3504
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Himldi32.exe
        
        C:\Windows\system32\Himldi32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Hkkhqd32.exe
        
        C:\Windows\system32\Hkkhqd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Hofdacke.exe
        
        C:\Windows\system32\Hofdacke.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2064
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3560
        
        C:\Windows\SysWOW64\Hoiafcic.exe
        
        C:\Windows\system32\Hoiafcic.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\Hfcicmqp.exe
        
        C:\Windows\system32\Hfcicmqp.exe
        40⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Immapg32.exe
        
        C:\Windows\system32\Immapg32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        42⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Windows\SysWOW64\Iicbehnq.exe
        
        C:\Windows\system32\Iicbehnq.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Icifbang.exe
        
        C:\Windows\system32\Icifbang.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Ildkgc32.exe
        
        C:\Windows\system32\Ildkgc32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Iemppiab.exe
        
        C:\Windows\system32\Iemppiab.exe
        46⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\Ipbdmaah.exe
        
        C:\Windows\system32\Ipbdmaah.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Ieolehop.exe
        
        C:\Windows\system32\Ieolehop.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Jfoiokfb.exe
        
        C:\Windows\system32\Jfoiokfb.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Jcbihpel.exe
        
        C:\Windows\system32\Jcbihpel.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Jedeph32.exe
        
        C:\Windows\system32\Jedeph32.exe
        53⤵
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1224
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        56⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Jlpkba32.exe
        
        C:\Windows\system32\Jlpkba32.exe
        57⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Jplfcpin.exe
        
        C:\Windows\system32\Jplfcpin.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Jbjcolha.exe
        
        C:\Windows\system32\Jbjcolha.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\Jcioiood.exe
        
        C:\Windows\system32\Jcioiood.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Jifhaenk.exe
        
        C:\Windows\system32\Jifhaenk.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Jpppnp32.exe
        
        C:\Windows\system32\Jpppnp32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Kiidgeki.exe
        
        C:\Windows\system32\Kiidgeki.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Kmfmmcbo.exe
        
        C:\Windows\system32\Kmfmmcbo.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Kebbafoj.exe
        
        C:\Windows\system32\Kebbafoj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Kfankifm.exe
        
        C:\Windows\system32\Kfankifm.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Kbhoqj32.exe
        
        C:\Windows\system32\Kbhoqj32.exe
        70⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\Kefkme32.exe
        
        C:\Windows\system32\Kefkme32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\Lmppcbjd.exe
        
        C:\Windows\system32\Lmppcbjd.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Lpnlpnih.exe
        
        C:\Windows\system32\Lpnlpnih.exe
        76⤵
        
        PID:352
        
        C:\Windows\SysWOW64\Lbmhlihl.exe
        
        C:\Windows\system32\Lbmhlihl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5024
        
        C:\Windows\SysWOW64\Lfhdlh32.exe
        
        C:\Windows\system32\Lfhdlh32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Lmbmibhb.exe
        
        C:\Windows\system32\Lmbmibhb.exe
        79⤵
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Ldleel32.exe
        
        C:\Windows\system32\Ldleel32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Lfkaag32.exe
        
        C:\Windows\system32\Lfkaag32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2084
        
        C:\Windows\SysWOW64\Ldoaklml.exe
        
        C:\Windows\system32\Ldoaklml.exe
        83⤵
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Lepncd32.exe
        
        C:\Windows\system32\Lepncd32.exe
        84⤵
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Lljfpnjg.exe
        
        C:\Windows\system32\Lljfpnjg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1816
        
        C:\Windows\SysWOW64\Lgokmgjm.exe
        
        C:\Windows\system32\Lgokmgjm.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        87⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        88⤵
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Megdccmb.exe
        
        C:\Windows\system32\Megdccmb.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        90⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        95⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        96⤵
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4472
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2920
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        105⤵
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        106⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        111⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        112⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5672
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        116⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        117⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        118⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        120⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        121⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        122⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        123⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        125⤵
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        127⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        129⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        130⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        131⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        132⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5620
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        135⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        137⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        139⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        140⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        142⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        143⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        145⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        147⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        149⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        150⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        153⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        155⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        156⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        158⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        161⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6156
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6200
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        168⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6244
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        169⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6288
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        170⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:6380
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6424
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        173⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        174⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        175⤵
        Drops file in System32 directory
        
        PID:6560
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6604
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:6696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6696 -s 412
        179⤵
        Program crash
        
        PID:6812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6696 -ip 6696
1⤵
PID:6752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ambgef32.exe

Filesize
77KB

MD5
b12f004dbdd80e0667887135ffffac7b

SHA1
758d02fffc94817f77e139205b9fdd2ed0c1f3cc

SHA256
345063312f28b1f7d9fd80349413707eb374809da35d6665e0483dd585d34a66

SHA512
d35d2d0cabff5bd3d8f78fecc7a0442bd979052003384c07e0600c17acedd2839f0189ae05d4066c4ae5c3fa03e997c35c8bd60ae4a5f01f9ef7231f2bb889b8

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
77KB

MD5
839e719c8420ea19a693ab2332ecbb8e

SHA1
dabd88f44ad14632666f79a803921cc4f401adf2

SHA256
e3f681c30eb9539d39df4f5ad711770940bd70a416980aa26bff3a4b1ea58359

SHA512
b718fdb846c76a8758bcedc80a43e0241ed1ea761479db73d4aba23fe505a4549b649060a3cacb06cea5365685ba76262ffb62289a794faf39c2d7dd665063f5

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
77KB

MD5
afd2dd0caf45524f2a1c91bf9452ab09

SHA1
27937d081dfb9808193ee2191571e09c9750dbff

SHA256
d99e3ae545750f914402bd9bb92b99c78e7ff10378d4d92351b98102a17fd2f7

SHA512
13f65c73b3aa188fcde10289b3edb8444aacfbdc2234cd7b624e3f71101ae68e4caacff754ac68aaffde90bc05386e838d3e8c50fc2099a806c5f2158b29bcee

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
77KB

MD5
7e3c0029eb9e171b87c5d32d95d30dcf

SHA1
7c1e4a6323f842d3296b62fae585d0df00400488

SHA256
f352ab346729a5fd9dc70a743c45de76a30c6fe796c7d9055130ba0c0880d218

SHA512
d43eba04ab99cf576d0410529f52a1eb45454605cd2fb21716eb2ff851fdf857dce483179904690358ac75bbe236604f774f204b7861402d0c6b5068e2c6992b

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
77KB

MD5
9061698fec9697954a5478d00f5ce2fc

SHA1
22cdc1a73e89a7c70d8da40e8461c5cc62d09038

SHA256
930fcb5722549686ae912efb0c891680a001f1c8d84c90d32af0f36af29fffc8

SHA512
fa9e5e3ad0460128bc3c28d6b253e5b745eef78d682c4d78292c33f12676835d6f493486fbf893685a40cfd444d4f4a5ecd4ecf42772f5bcaf9af7e88bfd5f49

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
77KB

MD5
b3d0aeacdd448d25576225355e55bb71

SHA1
572a56ea7b4750e9e65ab1582b09688113a1db4d

SHA256
8ea22215dc2bc861d075ef30359f9ec894941be722efc52cba925bc39d0b530a

SHA512
516fa60a6ef0fbf765763cf35f6123b9f768ee2e5fbd82184f4e8ad7cdd29bd639f17b2aac628aa79e6e6b6fe78110641d242f69575ebc85c024679f4d28562e

Download Submit
C:\Windows\SysWOW64\Ecoangbg.exe

Filesize
77KB

MD5
9f74d7b996a24c47de554a402017ab3c

SHA1
e63229a22ff59cc25ebd592998056dcc97f6a323

SHA256
1c4bc166f0e616ec5e884612991ef3748e613b1f87ef5b6876c8aa8ac7a90d6b

SHA512
0e2f947dbbdda5dbb464f7e944254f7706d1fad76d31b354b7e8d7f86a99739f90d64643a5a51c5138a29e2115f3eb311d791300b59087892669ff7b4253bf8c

Download Submit
C:\Windows\SysWOW64\Eekaebcm.exe

Filesize
77KB

MD5
d7c680eda3a23cdd7f6eb433ac72f288

SHA1
fd3eb42732a61edab870eebad21a445d4e68db80

SHA256
f19ad3359bf1c09176d474b8162875bfc0fc98025f8d4d1a52b0a60cc19df6e3

SHA512
f9646b486d5cbd392ff0114a48e6e46db7b695ef67491c4d6436438a88309d6ca87624f3922e53a1307acf607f7621d11635bb10d45889a4b79d9121e23a860c

Download Submit
C:\Windows\SysWOW64\Ehimanbq.exe

Filesize
77KB

MD5
7d5c88a141c7c7f0c1d473411a62856b

SHA1
3a3800463416dc53d134da287870057e9e5c144e

SHA256
78fd0e1a2f52d3720726466a5227cfb067f2d9ebd1d2946ab4132f06c3bcb3ae

SHA512
ea4235af91483d58f2b4cc35a11e60fbd22519c31a080fb296e1cb559b55406366b8909942e855968b059eaa0926c510df19c5bb1327e1e837dbbbc5d8957eb3

Download Submit
C:\Windows\SysWOW64\Fakdpb32.exe

Filesize
77KB

MD5
b550de999ed128a933bd2d8465341a1c

SHA1
0d13d1bc1deab5f00f41cdb35331113c8e68149f

SHA256
20a6e10df0bdf967e341fc7894fbfa7491e0b3b47d605ae95efc45e4d832f416

SHA512
ac8c6ff1b87c1c752c7f40c351183d2d5c23287dcf5b20d145f13529544ac1a02eee286c3db96ec154fe373bb30a4691ae850b6804d5d66c0d7c48b5241f21b2

Download Submit
C:\Windows\SysWOW64\Fdegandp.exe

Filesize
77KB

MD5
b191c20aff5d482c4af16b2fc75149e5

SHA1
4eec1244a925d0be283762800d5469f0c0fd7dd4

SHA256
35b41334f017b25bea93219f991dbb1e15f2d690f5e7135a95e0e3acca5c8d85

SHA512
b554d4c3e9335ad267facf0a557b86108fd9dcdd5307b06be6c36cc602e18b58b09a0eb110eeaf60db6edeb9b60f9e5a614f64d62c485c6df6db18a6651214bc

Download Submit
C:\Windows\SysWOW64\Fdgdgnbm.exe

Filesize
77KB

MD5
a7aa24501c6bde9faf8d3f9af39be1ce

SHA1
2135dc0a6030f4675d2c6f65e6a4cccf054861df

SHA256
9175572a75110ee0d0a92119a51d20bff6d1be5c3a8af3a6d77a282a06480bdd

SHA512
a0f1e570aee36237ee28d3df852a167342d55842fb882edf6cfeb1644db02fc302ea65c61e2e4bb729ce54bbc149892a59de2e3cd87caecdc6dfa78c4ce1af93

Download Submit
C:\Windows\SysWOW64\Fdnjgmle.exe

Filesize
77KB

MD5
f60607747bb7d4f127dbbf4d55e98089

SHA1
974e72fe2621ae0b8466f9607ffbe4c01e90ba9c

SHA256
439a1e3974a1f6c89eb2d3b0136b7afa2fcfeaf1d67029f4304149c416a901df

SHA512
d212a695f9efcd931f5fd44ee7df9862a7bde5b813eaae24908a612ff2c6d422c9fb3f5ecff35eff9a6dfcfb1401661947e83a6f8a7144b6ffeb64c168faeb55

Download Submit
C:\Windows\SysWOW64\Ffimfqgm.exe

Filesize
77KB

MD5
7b0b3da128ddf1197265ddc700687520

SHA1
efb20a035372e9e4b9c6dc205bb40c826e7bdc9f

SHA256
57fbd8f25e45f807074463ccb75c53c5b3d0d3e08bdf88de7cd7be1f5b1faeec

SHA512
e98d0329db3b3182d7f6ba74fbac7ecf94e95199e8f4ef45622ef510dd12ac9f87da75973f1030f59684745499722d6ca08e01e00a8a5a77636d3314a80bc68b

Download Submit
C:\Windows\SysWOW64\Fhemmlhc.exe

Filesize
77KB

MD5
e27dd5a6b6c2981c0836590ec2032b81

SHA1
a892a81c31dc8a1a894cda1365c5b39994bf8f44

SHA256
b4ca7791e4706643a4b1120f612e2f0d6ae01715bcc1c72c4c6a17c5bd20d0f3

SHA512
00d5e7b46a21df1e4af006d3d01b8941cd7eb833a066066a05f5f45efc46609556089bad7bf971b4723178bb6d96ad9d86020f97cb8c8914d6250eeb24e549c7

Download Submit
C:\Windows\SysWOW64\Fiknll32.dll

Filesize
7KB

MD5
2eb76ddfcf00b54ea9cf935411cec92c

SHA1
622d46bac86f1f4e8ce663ec1fa4cd43c2e20b13

SHA256
896561a12b1a549df6d9e3b7bc75378a30fdda0669468e630d71d191dbc52e62

SHA512
0d9e43870b3a5f1b9a0c8ab0a25349521bd288f34124d6ffc7ef8c8c44d25baecd5f547e18d43869f4b1ab658659525c611b33bf903b6d2a466f29c4e83b95e7

Download Submit
C:\Windows\SysWOW64\Fkalchij.exe

Filesize
77KB

MD5
36007bbaeaa1bcc628c40e2f442f9574

SHA1
bc016d4736c2e9e9e1f5cef57cdc00377b7e532f

SHA256
4b7aed4bef2555de7eadcfaab7d57db5b35315fb7f07029073ad05dc2c0206b0

SHA512
d673cfd07957a8abd026022d0d0f76e939185f27e6a790c61dc5897cfcc8ca56f5f13b975649aed7b2a374268fb3fbb7fafe593316046525937546fe76587762

Download Submit
C:\Windows\SysWOW64\Fkffog32.exe

Filesize
77KB

MD5
259a59deca600f5aa1c4b2f11d9d5090

SHA1
ad45c2546778adf8dbb631b8a3f2ae67802f4d47

SHA256
93fafd2029785d2460ad4ee8829ea67ab7a48bda8bcccc7c9a21885871015931

SHA512
b97f1b4445c4b9b51997415b1b77019d4187993763eda1b6bca80449f057210097d77695c1b1d0468aea5fed6abee6585b61434010bad1fdb5a6551523604b5c

Download Submit
C:\Windows\SysWOW64\Fllpbldb.exe

Filesize
77KB

MD5
198d28189e80e38f2f205827ad3866b6

SHA1
427cdaf66daa669dfe74ebacc15ea03bf1946f63

SHA256
f1142e7cb65c98db83b4ce29412f78f4cee4869315b00dc5d900ca3414d12347

SHA512
9da60a9feee81b7f2a9381f9559a25761c80f48bb0f651f058fc527bf986e313f858969f29dfbbeceb483d54bf4fc2d75a469fcb1889d9e0bc2a95b44edf6306

Download Submit
C:\Windows\SysWOW64\Fojlngce.exe

Filesize
77KB

MD5
2b3a2640965288bb5aab117dfa19a6da

SHA1
f4dc548049224eaacf8a3591bb856d235ca2fbb8

SHA256
ab6aff2334b8610ca9a55fb454353d358f4277c6d781979f5a80c7521ab27e43

SHA512
04c4d591e49b5d274687574b23ba181fb18acd96af00fe5d6e82f69f33bdad21c35a7884e61b7cd549e863a07bf4e054029d3beda30152f897dea8a98cefb0b9

Download Submit
C:\Windows\SysWOW64\Fooeif32.exe

Filesize
77KB

MD5
f98b5b8a165365be986de6eaea3c7b37

SHA1
198e5a2723271d5dc410ebe3f2be187468ad66d4

SHA256
2444834857cba5665d4d05362fec9c2b3870d2f5c2eaf336fb9966da7f6a9f38

SHA512
53bd21d1529982c6e6135b418fe828e5325d96bae9bad528fe1429f096f108ca4130bb7528c6b121c76d751948df86a26d260ad2445d36d66cb942197e3492ce

Download Submit
C:\Windows\SysWOW64\Gcddpdpo.exe

Filesize
77KB

MD5
a3d54e9e0c4b3a419d92bbdf36367701

SHA1
9487845cb9af0d3f6be07927079824665a066965

SHA256
d563eae9a0c9468608d0c3f67dc1ff7a65d82a774f466187354f8af70be6246f

SHA512
6ec6e5d245f6c3216fb94258dfef20260477a60ffec9873b7f35a2247469f7f8f1f44fd48c09912acef3204df2be2d3d04eb64aa6fd43771bfe696c0d1be603a

Download Submit
C:\Windows\SysWOW64\Gcimkc32.exe

Filesize
77KB

MD5
7b839ffc2019145a34c2a4530178de64

SHA1
f821dc488a0eca8c3ff30ebdbb60659f8a2cc050

SHA256
c2bc5faf26d14949399458cf326c27e5fa72f6d28997aa186f187353249bec6d

SHA512
206b4a7e5c905283c7c1777892f34e3db805e6357698474db34ef82b6827a9df9c7a5ccc4864c62f25c81a35abe371e7337c14c7c41c5cd4dfef642b8a75909b

Download Submit
C:\Windows\SysWOW64\Gcojed32.exe

Filesize
77KB

MD5
352c5759dbdd18de500c2f5098b6e8af

SHA1
974616e2ba83b75aeb04cec22b0d980362ae9a5c

SHA256
6ae5122fe0d7b0fc83e2be8130c0461a953ded84fb9996249399798a05fe80a0

SHA512
0aa965738f3dd29cb7e81e3b4a08035acbcdc96535b22474745e2ce4101ea8a0c8eb5db655ea41e11e1fe000d5a357d4bd2118af1d46db46e78061957c5d0c73

Download Submit
C:\Windows\SysWOW64\Gdcdbl32.exe

Filesize
77KB

MD5
c4eda2abf99c751316828978b2d3be58

SHA1
4af392a79eabe1cda82c69f386a46a17dafada9a

SHA256
cfd04283f91d8bfb94deeee38716c74e95b2c47af1b1c823fa24b624b3bcb82a

SHA512
5b2189a75a4bb4947bf8b9671fb2c55d06747c7195e9baa302fc7f4a134a90213c30ece16fadeed0e321b096f4a897ff0c73f9b9cf7c12b338f4c0a33542f006

Download Submit
C:\Windows\SysWOW64\Gdeqhl32.exe

Filesize
77KB

MD5
2cc78d617954ba4508da42d78a04050a

SHA1
81b1542138456a1175ebb7f26089557c2bd30493

SHA256
88b97510bc752a237716a6845afd6c575dd2845415d6ad69bcfb35515ccce316

SHA512
805f52d3afe78fb6e83d6f942353c3fc9915a2015773718c4804e6a7ac6da02d017fe0428d8fa6264a186dd6bfe41bd7b7dd966f7cf3a24c23f3e0bd53a404b0

Download Submit
C:\Windows\SysWOW64\Gdhmnlcj.exe

Filesize
77KB

MD5
3979da4eccb57a837b483562d295dd74

SHA1
55c34c4dba72c451d1176cad78d2611a079c0f36

SHA256
21491e489dcffcbe858d8bf1628fe9e736540f3d7caa3432f5ed24acbab6d9bf

SHA512
a43dd08db5781535f68045533eca1c1b163dac7250c0dafdbc7155fac2d7d2806ee015f9880b8fc9ae772c535d7931da8a051e65e32483abca870227a2bf795e

Download Submit
C:\Windows\SysWOW64\Gdqgmmjb.exe

Filesize
77KB

MD5
c58b95c42f9a9884f80ea07b968035a3

SHA1
b23bdf000f9210eb2e84e65ba3cc81d720f52133

SHA256
865f8f5875805cc09ab80a189ed97efa77568b2f9dec35867cff2004d282b866

SHA512
de28b4ca12fc665501f7ec84c0d55030b63280ae31496ede238643197fbd6c32a151c3b6b226384a32a31f763cecf54bceb870d3c43d9913acf6aa9e93a7c7e2

Download Submit
C:\Windows\SysWOW64\Gkkojgao.exe

Filesize
77KB

MD5
5720813402160a2fa820130571911b44

SHA1
f10d58e3f57adf2b319e8573634804f35460e918

SHA256
f66b6bf9a5c5d9f5f17958b29d99e5929491c5f2456f07b8726d27d0b4e13fcc

SHA512
8d206497e6a1e0c04239cec84817f1c8e0dc7de79f50f02d0d11112260a1fb14a039c7fe4916b64884dd88b005cfcfd810cdea61b60d6c958aeca32239bb8ed6

Download Submit
C:\Windows\SysWOW64\Glebhjlg.exe

Filesize
77KB

MD5
599e14ea08f33e02167861746fed3671

SHA1
90a6a0fbc3ec9ece303a3ad17f7e3a43d9b3218c

SHA256
9c8553e0bd8a3829b35e50666a2070f92c7ca500758cb14e486a927f0da7601f

SHA512
ea880551733f67df970c4e532806f7a5c59ddc6694898c4233995ce10ec85c170be558dd0e9ec123d166ab428448178814d20ff60d12a7f6e48f9b295b2aefd2

Download Submit
C:\Windows\SysWOW64\Gmoeoidl.exe

Filesize
77KB

MD5
11a78c0623837be5b6349cf713c0b685

SHA1
8d4e33cdb39084ff88ddea6d7f2af5cb6c18f7f9

SHA256
0567ac92f098a3c28c0e11256efeea14f9983d5484eb3771c3aa3af6a533aabc

SHA512
e6064e342984109dd6987f48fc79133ede1d7df271d33853284040dfab196c21900305d5c12b2a01988a4c8b5e47d54b9099c31e5a44a67536ce6f9b921b7cd5

Download Submit
C:\Windows\SysWOW64\Gokdeeec.exe

Filesize
77KB

MD5
1ca0e548e066a979ebb6272f373ef64a

SHA1
a79017ff9c0d82fe9b724d92316e69e2c24ffdb2

SHA256
df65a4eb8033a40d03afd0a75f3f4832ab5626cd43f14871908ed639f161df3a

SHA512
68c655b86e4b500ab2a67aa3deba3f3c6aa29e56e9fee1e14b00fd5b4374f03596e56d60bc9fb098cd8a7f093e6ffb9e9bd5484eda02c2d635c153cb1215cae1

Download Submit
C:\Windows\SysWOW64\Hckjacjg.exe

Filesize
77KB

MD5
93f84c66d1d58c89f212050a5661c08d

SHA1
eb791c79209e4e61b8b80716a04a73aa41a9d9bc

SHA256
608b1a4b40a816e3fcba0a6a2ea09b4e1988d6bc1df1ad2ba7b4938a14ce8679

SHA512
e4d3f0baeb476f2ae9d3a077d6ef25ca0996cf984558efeb5308941d370e253c340885d9aa60f1c2cc42a1c637d0cd038597c26622379ae9a27b40ee9a33ab4c

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
77KB

MD5
ec86c94a3340eec4e608f79438be455c

SHA1
60fffcfd27cb30cf3c819744b3c25bfe28b07a77

SHA256
98b9e90ca85cd497e9a2dc65ce49c959d6b659b22f2aefcc4555d9cd961e4259

SHA512
9511793fc43369a38459229d3135d9fd11080b99b4f6cc37fbc2c936521b0df63ffe94ca1bea3e1e05eb382b92dbec512c0229b9fd190236bca775ab58dd1c64

Download Submit
C:\Windows\SysWOW64\Helfik32.exe

Filesize
77KB

MD5
835d7c395870e96265086a2ad354119b

SHA1
22538a0416f1e1301a3d9b6bbc2e8d4a3ad61f5c

SHA256
c993d9f4b080a1084bb670c3c87fceacd4c318bfb326c59f12ba08998ecdcf47

SHA512
bab9f692ee058bcb85275760cfb3c228d40467bb00f9c137e01641abf27c4c101d1de65609e40db41544d638c9808e5fe33b2be3fdc6429f3780fe047ec4c96c

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
77KB

MD5
94182b1190918427a45970327fedb2a2

SHA1
bd12a3302a63ee7a7624639a09f16f4f2615aa4b

SHA256
5853660e81e4bfbe45237ca782b8c9b2c29f22657a830e562d13044d9c95815e

SHA512
2209fdc0e4b6f7e2da507d25f30189d202f7d19a7c8735ff07b947acc72712c0c41a4a0efae2b7cea8592a02cfb613752e828d222118de9db627bad41863fdda

Download Submit
C:\Windows\SysWOW64\Hfnphn32.exe

Filesize
77KB

MD5
9aceb142bd56b2585b2116823f9cf752

SHA1
aaf1bad71ce283363cfe90a64be0e328ea72afa1

SHA256
fce540f6e494bb007e8f1c207f838c94d579150ab53de59ca599a9fdb038b1e2

SHA512
046d42b8298fd542d4fe19720d1ae7ff4a04a3bda06db340cf9ca82eabcef4caafb6c4fc14c0630c1d69aa61b9cf235ff5d0c4cf966cb1fc30fbec75e8b733ad

Download Submit
C:\Windows\SysWOW64\Hkikkeeo.exe

Filesize
77KB

MD5
7426ae253fa661080a509bade1ef992a

SHA1
b0267a3379279a72b93ad07c9ac29a755bcb9e8c

SHA256
12884dd798fe67d06369cfff1c567528d9d65a524927735c99f987e8bf63e4fe

SHA512
c8ccbe3e034806f3d6ede8b6e3cc701cb3efeb7f13ad564631afe0d48ace8ffc37c1c94e456dbc951db6b984b53222ea94976b0cdebf072a4cafe9f5ce173853

Download Submit
C:\Windows\SysWOW64\Hmcojh32.exe

Filesize
77KB

MD5
e22d1df50ff4a86b956d251e68d69063

SHA1
20e41b861760699b01a9ecf13ac81577b73f44ce

SHA256
1bd0e7e0b7770c2c1b479ee359ec7b7955d6a96dfa378767211d510a55e2a353

SHA512
770f43e58c22af58e401a171d1c9820bdf55710dbd40a2431d508eaf66dd0cfd57d524804cbe31e24b38abfda6344b4a4aaeb8ccd633933c53cee21bdfbe0090

Download Submit
C:\Windows\SysWOW64\Icifbang.exe

Filesize
77KB

MD5
5810ee057a2cc2444ac39e3018445ec5

SHA1
e459a8109247df716d26eb9d48a140a4c800f71f

SHA256
67195fea69aed0866a01742170dee5c129cba1b4388ee4f304f6035ce975e2ff

SHA512
3f7414cf8819b10000f64ab2491990fd2356246d539b5107531f9e2188aa48098329d3e4959edd24a383e2db16cf11aab2aa6062b6ac2569637684d42805c9c3

Download Submit
C:\Windows\SysWOW64\Iemppiab.exe

Filesize
77KB

MD5
e3e5f4d0381122e72edfec59cd86bb63

SHA1
a0046a93450e60c07d963c5a37426e99fc57311f

SHA256
1998ab25e117dabf001cb8cfcfcb2087a8f4f01de93ae7d075b106ac1f08304e

SHA512
14dead71b83a7d34e62a0471a90d865ea070975a801ff10c05511ad0956e83c01f8aab04316208b4677732a754f008177312b575ec999c8a7215f92f57449c48

Download Submit
C:\Windows\SysWOW64\Ipdqba32.exe

Filesize
77KB

MD5
b5b96f6f711c149b447f5450935561a6

SHA1
0b77917a2022ba7a23d60ff6aa5d3199e39626ee

SHA256
24f9e1cf5bca860e92d8c44c14388e1fbbac25fa8e72dbf20627fd43e0031b52

SHA512
473be25b18c6114778f924b90da169ffd83c019b3c26b66d5972f1cde1fa0018cc9a3ee3d30edb33851fd6223cba265fbc1572edcf455dfd2b504a4ed3362974

Download Submit
C:\Windows\SysWOW64\Jplfcpin.exe

Filesize
77KB

MD5
ac561529957c8c5cc915aa48d6b99e8d

SHA1
2cc7c2a03b0db6c88cef62f67c526c05ee75a3aa

SHA256
16fef6dce3b09cc75222457cf7efc63804146d11f414875823e124fd5af027ce

SHA512
2c799604b9683a7b9444ba7ac745bf5e9a3be604e4cb583c10e41d723cfeb85bfc75d9636742495bcbbbc5cefb74bd221410a75f7327534a1150ecdc13ecbee4

Download Submit
C:\Windows\SysWOW64\Kbhoqj32.exe

Filesize
77KB

MD5
6d055fc1276322c818653cb30e6b76f0

SHA1
dc182c194d5873b7199dcd584051a2003a669779

SHA256
756677c6e39a488aa97791960e105232ccde1eeb32b5c48de344165116f5dad6

SHA512
9ecf2389a764eb3dda5f8e11dc51a472dac14a3370bb66eb9e731eb2376915a5b5072cf23d0c6b59d397108615dbeb3d13cfc08d64e734e70a94a0d296750d17

Download Submit
C:\Windows\SysWOW64\Kdgljmcd.exe

Filesize
77KB

MD5
aeef447b437d18aa07c0278082971750

SHA1
4a7acaf31395b143d9e861eb7512d3abe8e5df75

SHA256
9f39b192ed8255311c094020c706d013826597f7d0141cb2ecaad79c9f76caa7

SHA512
2840bf7f98e81e2b4de823a7d853d6029f3bcc7bd426212d65d9d79f3980c3697a78870d194d10a3fdbc331440458eddbcc903748689f97af124c3182e065526

Download Submit
C:\Windows\SysWOW64\Kdnidn32.exe

Filesize
77KB

MD5
f5c8cd9de8bd34e19b99f0559e7e7c88

SHA1
80cce7ba6e8c5859363c15486a29888770b0b4e3

SHA256
2320efb4b5020eecefeaa7f1e08669d55f1c915d6957080321ff21b1e5e65d19

SHA512
8a2fc73e3aabc5d000dce4e79dd046b28ebca2e1321c77961a4c7c63232456e78989ee0f83f495ba415ec4ec87a3d47053d9241dfd405ccef331d451e6e82dbe

Download Submit
C:\Windows\SysWOW64\Ldoaklml.exe

Filesize
77KB

MD5
81f10d159ec554fe7556f98562291416

SHA1
03cca801375a215b6e6123452f4934ad7e85ab23

SHA256
6547f21aea6655263549958a151b00604cad69aeda0765a128aa7fc4507ea5a8

SHA512
59f352c4c5123f4e68dae69f482f40274c399bf0c64859b428f7330c0d529573aca9566cc2e546bd940271660633e883439acaf6836ca9599d11d5b82f6a64b9

Download Submit
C:\Windows\SysWOW64\Lfkaag32.exe

Filesize
77KB

MD5
ae20cb78ed757914e6e2529365acbc86

SHA1
44d2922fc4d792d312d2277d259c8423ebbce440

SHA256
5ed3aa153347352ec33b3966d9a79a60a8229e01e17d24bd126162b1ed210031

SHA512
1cb5da65a4d80aa32979db0ac44a5168ce7ef4a887a37822ac51e3f94cb0e719690164c5223d29b7b83a65a5e94a84c5cb106ae11808face464e201a81221958

Download Submit
C:\Windows\SysWOW64\Lingibiq.exe

Filesize
77KB

MD5
f981c49833e0dbcec65e991ec44faa4a

SHA1
620a286491b085c9d4f8c6c4e2cad921fde44f3b

SHA256
8466177be63cd9b73b7ae4b8544160bd03ad0a5a205396a428a06aa935ca4f01

SHA512
c76ffe187eafdf80339529f4db76adbbecbaeb2262bbcb744217b6b21e046860f3de70bbea6ba5738d79ea82d23d06f489dd640ef3cc57816776d78be1c0a9fe

Download Submit
C:\Windows\SysWOW64\Lmppcbjd.exe

Filesize
77KB

MD5
25150327e1f6c060c42c34158ad9f049

SHA1
80b1db7902ae86effd5589d68d51f50bdd8d3554

SHA256
1f333613cf75f6bf4a10012e801f9e1d348164206a0061f0e47dc3050d852621

SHA512
13272a692b3ba985d1841c0f2729c6aea185abde628f058e7a20e3ebfd2be6287239bc6ef00ca22acd0e52dc24a0c057dcaa8194fab088c91fc505bfeb32e826

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
77KB

MD5
c5bdb0f5ee5ee060d08062ccfe9261af

SHA1
bbf0dfbcc2e77d468bac655f6be534d6c627c26d

SHA256
ccdc0a1512e25ce194f9a57d9bcc6c95108b44ca1066008a9c64203a81ad0bc9

SHA512
37ae0141ab58311c6580a44f2e44293142fecab9f92dbce82db01c549f90c3717b771d58a447129be70254b9cfe977238a85116aa44cea42b0fe338d67d46cf1

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
77KB

MD5
ee104cd6b1b104cdc0812bb49e011fbc

SHA1
92e586c1105f62d2e900a30bb4ef417df2811291

SHA256
e77e0b5794c757b12bfd6dae3d5d6533a0c128ccba27d095fbc53097aec53762

SHA512
498a78fb949d5b8631bb308d10ae2ec15c312b6afacc144115b479b1694d5e7062dd52767896042b0b96cf15b9540a1b57cef301e5daec4c876131a7a9a535e5

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
77KB

MD5
01b4d9b01c3f56cd2c997f011b3321f2

SHA1
4c747e77f438e6b6bb18c8cd2a528568ae16ad37

SHA256
46e816bfc4e0bc39b027cedfcd5ef1345a0956dcea80359a6a2d96f7b33fcd23

SHA512
605f0c0c5295f81c2be582aa67d856950bcd7f1d0ba1d51cfc586af1625cc5ac07f3a6a7168aaf589bcfd8162fe6dac16bff7ac4f1da066fdf0631ebfea481e5

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
64KB

MD5
5973657ea784c55eeb6b9669c90e6136

SHA1
377fbfee1f9e8a0fb55f279b05f3c08e2d2448be

SHA256
7e01cda3b1d303247fb33ec6b0d45018f2d5cb139f8011c8f5c5a45ca65487ee

SHA512
b37a378f497a1f607105fa92d3ca01921d8ebcb8b5e1361b76a938f4a32cc8dd052fc36bbdb667e494f1004e8cce9d33d1865909282187f8eff6b96d36a58eda

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
77KB

MD5
bfea8ee743a73e0af89d6819369d8b2e

SHA1
a91ec364c6dd7299b8b40d6f8de0e7ddc42aaaa0

SHA256
cbb603ac1f4350c9b7ba4daa26adbd5ce491ee9978db922131cfe97d0e8a9276

SHA512
3a0efbf6b3d0a2a46305ce3414678cbcce60c36caafb9da10e1d8769b490f281dbe9a6999255ea94b1bdbc20932e69514b7d9fb70056fc645dc8085ef8e5414b

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
77KB

MD5
d3567d99d4617b951e245de06bcf041d

SHA1
ae31e1e7b93c6bd9730ccdab3bb599a3c1a7e73c

SHA256
856b1cf320e9d6722e17aceed525957ca4937f9f739e0961ccabdc6b4ff2767b

SHA512
b6b2fd09bd62775b4eb3092aa84e1752e275f1aef630aeecb4665048fb720deabbe373c421182780c1ccf54db79de90b90992d6a1cbbadc10e00798aeaab5931

Download Submit
memory/352-514-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/384-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/440-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/468-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/748-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/888-496-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1068-581-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1068-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1220-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1224-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1232-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1320-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1340-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1424-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1444-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1456-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1496-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1656-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1816-568-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1980-575-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2056-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2080-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2080-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-547-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2220-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2284-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2308-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2356-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2536-588-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2696-582-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2972-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-560-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3092-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3096-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3104-533-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3192-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3196-561-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3284-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3288-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3460-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3476-490-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3488-553-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3488-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3504-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3536-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3560-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3632-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3672-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3684-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3692-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3692-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3720-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3772-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3964-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3988-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3996-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4012-554-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4016-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4228-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4236-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4284-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4312-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-589-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4408-266-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4452-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4668-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4688-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4812-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4856-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4896-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4920-472-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4936-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4976-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4988-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-508-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5020-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5024-515-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5104-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5104-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads