berbew | a4b0e063ee11c58b0ad7099ffd6c2c3278efc9d16c79347ed52cc21584e74df4

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4b0e063ee11c58b0ad7099ffd6c2c3278efc9d16c79347ed52cc21584e74df4.exe
Size

320KB
MD5

d585d3c5379c5c29b19eebfc28bcb3e1
SHA1

d878d2dc5070b5fe74be9087e2d408e3ee119dcc
SHA256

a4b0e063ee11c58b0ad7099ffd6c2c3278efc9d16c79347ed52cc21584e74df4
SHA512

ce304a8b1edcd2f845633979dcd675263ae79fd635f27ed551550aeca8f080821e560969a6d3f6bfb2b45b544479319f3768d98c4acc94122dac77670f189630
SSDEEP

6144:XKsQNUMTDsVQ///NR5fLvQ///NREQ///NR5fLYG3eujJ:XtQuMcw/Nq/NZ/NcZO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnimpcke.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfddkmch.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljbipolj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oabplobe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenmfbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chofhm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohhea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mohhea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nommodjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chofhm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogohdeam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocfiif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Celpqbon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fabmmejd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkcmjpma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liibgkoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhbbcail.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gleqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihnjmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmgfgham.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbkdpnil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nommodjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neibanod.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fabmmejd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gplcia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhnnnbaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acadchoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Admgglep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfjnkne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfiif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqlfhjch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkojoghl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afndjdpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aicfgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkgog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hplphd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hplphd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljbipolj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfnhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdodmlcm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idekbgji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mheeif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlgkbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alofnj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aicfgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaggbihl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbpoebgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alofnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmjekahk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhqhmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdodmlcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdaabk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nohddd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhnnnbaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idekbgji.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 48 IoCs

pid	Process
2900	Eebibf32.exe
2828	Fhbbcail.exe
2848	Fabmmejd.exe
2680	Gplcia32.exe
1892	Gleqdb32.exe
1980	Hhnnnbaj.exe
2064	Hplphd32.exe
2372	Ihnjmf32.exe
2924	Idekbgji.exe
2528	Jkcmjpma.exe
2304	Jmgfgham.exe
768	Jfddkmch.exe
2404	Kbkdpnil.exe
1812	Kaggbihl.exe
1292	Ljbipolj.exe
2552	Liibgkoo.exe
1624	Mohhea32.exe
1540	Mheeif32.exe
1116	Mlgkbi32.exe
2036	Nohddd32.exe
568	Nhqhmj32.exe
360	Nommodjj.exe
944	Neibanod.exe
3052	Oabplobe.exe
2808	Ogohdeam.exe
2876	Ocfiif32.exe
2788	Oqlfhjch.exe
1492	Pbpoebgc.exe
2664	Pfnhkq32.exe
1788	Pnimpcke.exe
784	Pkojoghl.exe
384	Qijdqp32.exe
2364	Afndjdpe.exe
2996	Acadchoo.exe
1900	Alofnj32.exe
2444	Aicfgn32.exe
2356	Admgglep.exe
1756	Bdodmlcm.exe
2284	Bdaabk32.exe
2244	Bmjekahk.exe
3056	Biqfpb32.exe
1768	Bdfjnkne.exe
628	Cbkgog32.exe
1076	Celpqbon.exe
1376	Cenmfbml.exe
2076	Chmibmlo.exe
1720	Chofhm32.exe
2576	Coindgbi.exe

Loads dropped DLL 64 IoCs

pid	Process
2772	a4b0e063ee11c58b0ad7099ffd6c2c3278efc9d16c79347ed52cc21584e74df4.exe
2772	a4b0e063ee11c58b0ad7099ffd6c2c3278efc9d16c79347ed52cc21584e74df4.exe
2900	Eebibf32.exe
2900	Eebibf32.exe
2828	Fhbbcail.exe
2828	Fhbbcail.exe
2848	Fabmmejd.exe
2848	Fabmmejd.exe
2680	Gplcia32.exe
2680	Gplcia32.exe
1892	Gleqdb32.exe
1892	Gleqdb32.exe
1980	Hhnnnbaj.exe
1980	Hhnnnbaj.exe
2064	Hplphd32.exe
2064	Hplphd32.exe
2372	Ihnjmf32.exe
2372	Ihnjmf32.exe
2924	Idekbgji.exe
2924	Idekbgji.exe
2528	Jkcmjpma.exe
2528	Jkcmjpma.exe
2304	Jmgfgham.exe
2304	Jmgfgham.exe
768	Jfddkmch.exe
768	Jfddkmch.exe
2404	Kbkdpnil.exe
2404	Kbkdpnil.exe
1812	Kaggbihl.exe
1812	Kaggbihl.exe
1292	Ljbipolj.exe
1292	Ljbipolj.exe
2552	Liibgkoo.exe
2552	Liibgkoo.exe
1624	Mohhea32.exe
1624	Mohhea32.exe
1540	Mheeif32.exe
1540	Mheeif32.exe
1116	Mlgkbi32.exe
1116	Mlgkbi32.exe
2036	Nohddd32.exe
2036	Nohddd32.exe
568	Nhqhmj32.exe
568	Nhqhmj32.exe
360	Nommodjj.exe
360	Nommodjj.exe
944	Neibanod.exe
944	Neibanod.exe
3052	Oabplobe.exe
3052	Oabplobe.exe
2808	Ogohdeam.exe
2808	Ogohdeam.exe
2876	Ocfiif32.exe
2876	Ocfiif32.exe
2788	Oqlfhjch.exe
2788	Oqlfhjch.exe
1492	Pbpoebgc.exe
1492	Pbpoebgc.exe
2664	Pfnhkq32.exe
2664	Pfnhkq32.exe
1788	Pnimpcke.exe
1788	Pnimpcke.exe
784	Pkojoghl.exe
784	Pkojoghl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pnimpcke.exe	Pfnhkq32.exe
File created	C:\Windows\SysWOW64\Bmjekahk.exe	Bdaabk32.exe
File created	C:\Windows\SysWOW64\Opnphfdp.dll	Eebibf32.exe
File opened for modification	C:\Windows\SysWOW64\Hhnnnbaj.exe	Gleqdb32.exe
File opened for modification	C:\Windows\SysWOW64\Hplphd32.exe	Hhnnnbaj.exe
File created	C:\Windows\SysWOW64\Liibgkoo.exe	Ljbipolj.exe
File opened for modification	C:\Windows\SysWOW64\Liibgkoo.exe	Ljbipolj.exe
File created	C:\Windows\SysWOW64\Lfkfhl32.dll	Liibgkoo.exe
File created	C:\Windows\SysWOW64\Cenmfbml.exe	Celpqbon.exe
File created	C:\Windows\SysWOW64\Mohhea32.exe	Liibgkoo.exe
File created	C:\Windows\SysWOW64\Gdnipekj.dll	Oqlfhjch.exe
File opened for modification	C:\Windows\SysWOW64\Bdodmlcm.exe	Admgglep.exe
File created	C:\Windows\SysWOW64\Biqfpb32.exe	Bmjekahk.exe
File opened for modification	C:\Windows\SysWOW64\Oabplobe.exe	Neibanod.exe
File opened for modification	C:\Windows\SysWOW64\Acadchoo.exe	Afndjdpe.exe
File created	C:\Windows\SysWOW64\Gplcia32.exe	Fabmmejd.exe
File created	C:\Windows\SysWOW64\Jkcmjpma.exe	Idekbgji.exe
File opened for modification	C:\Windows\SysWOW64\Jkcmjpma.exe	Idekbgji.exe
File created	C:\Windows\SysWOW64\Fhihab32.dll	Ljbipolj.exe
File created	C:\Windows\SysWOW64\Gfjkqg32.dll	Mlgkbi32.exe
File created	C:\Windows\SysWOW64\Gimpofjk.dll	Nohddd32.exe
File created	C:\Windows\SysWOW64\Hlilhb32.dll	Celpqbon.exe
File opened for modification	C:\Windows\SysWOW64\Admgglep.exe	Aicfgn32.exe
File created	C:\Windows\SysWOW64\Knoegqbp.dll	Bmjekahk.exe
File created	C:\Windows\SysWOW64\Mnmcojmg.dll	a4b0e063ee11c58b0ad7099ffd6c2c3278efc9d16c79347ed52cc21584e74df4.exe
File opened for modification	C:\Windows\SysWOW64\Gplcia32.exe	Fabmmejd.exe
File created	C:\Windows\SysWOW64\Hhnnnbaj.exe	Gleqdb32.exe
File created	C:\Windows\SysWOW64\Gcmfdqgf.dll	Gleqdb32.exe
File created	C:\Windows\SysWOW64\Kbkdpnil.exe	Jfddkmch.exe
File created	C:\Windows\SysWOW64\Peiejhfb.dll	Nommodjj.exe
File created	C:\Windows\SysWOW64\Fabmmejd.exe	Fhbbcail.exe
File created	C:\Windows\SysWOW64\Ndmdqcnk.dll	Ogohdeam.exe
File created	C:\Windows\SysWOW64\Pbpoebgc.exe	Oqlfhjch.exe
File created	C:\Windows\SysWOW64\Qijdqp32.exe	Pkojoghl.exe
File opened for modification	C:\Windows\SysWOW64\Afndjdpe.exe	Qijdqp32.exe
File opened for modification	C:\Windows\SysWOW64\Mheeif32.exe	Mohhea32.exe
File created	C:\Windows\SysWOW64\Gaklhb32.dll	Pkojoghl.exe
File created	C:\Windows\SysWOW64\Afndjdpe.exe	Qijdqp32.exe
File created	C:\Windows\SysWOW64\Djiiddfd.dll	Qijdqp32.exe
File created	C:\Windows\SysWOW64\Acadchoo.exe	Afndjdpe.exe
File created	C:\Windows\SysWOW64\Bdfjnkne.exe	Biqfpb32.exe
File created	C:\Windows\SysWOW64\Cdklmlof.dll	Hplphd32.exe
File created	C:\Windows\SysWOW64\Ipddpjfp.dll	Ihnjmf32.exe
File created	C:\Windows\SysWOW64\Aicfgn32.exe	Alofnj32.exe
File opened for modification	C:\Windows\SysWOW64\Celpqbon.exe	Cbkgog32.exe
File created	C:\Windows\SysWOW64\Mpgoaiep.dll	Cenmfbml.exe
File created	C:\Windows\SysWOW64\Gleqdb32.exe	Gplcia32.exe
File created	C:\Windows\SysWOW64\Nlnlqk32.dll	Gplcia32.exe
File opened for modification	C:\Windows\SysWOW64\Mlgkbi32.exe	Mheeif32.exe
File opened for modification	C:\Windows\SysWOW64\Pbpoebgc.exe	Oqlfhjch.exe
File created	C:\Windows\SysWOW64\Celpqbon.exe	Cbkgog32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Chofhm32.exe
File created	C:\Windows\SysWOW64\Jmgfgham.exe	Jkcmjpma.exe
File created	C:\Windows\SysWOW64\Imlkdf32.dll	Kaggbihl.exe
File created	C:\Windows\SysWOW64\Pfnhkq32.exe	Pbpoebgc.exe
File opened for modification	C:\Windows\SysWOW64\Qijdqp32.exe	Pkojoghl.exe
File created	C:\Windows\SysWOW64\Jlmhimhb.dll	Bdfjnkne.exe
File created	C:\Windows\SysWOW64\Kneibo32.dll	Fhbbcail.exe
File created	C:\Windows\SysWOW64\Nommodjj.exe	Nhqhmj32.exe
File created	C:\Windows\SysWOW64\Alofnj32.exe	Acadchoo.exe
File opened for modification	C:\Windows\SysWOW64\Cenmfbml.exe	Celpqbon.exe
File created	C:\Windows\SysWOW64\Nqfilgbn.dll	Jmgfgham.exe
File created	C:\Windows\SysWOW64\Ljbipolj.exe	Kaggbihl.exe
File created	C:\Windows\SysWOW64\Bijpeihq.dll	Bdodmlcm.exe

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdaabk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chofhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljbipolj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgkbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neibanod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnimpcke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biqfpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkgog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenmfbml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fabmmejd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaggbihl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabplobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogohdeam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqlfhjch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afndjdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmgfgham.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mheeif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhqhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfiif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alofnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gleqdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihnjmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jkcmjpma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liibgkoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmibmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idekbgji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfddkmch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfnhkq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aicfgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjekahk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhbbcail.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mohhea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nommodjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admgglep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gplcia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Celpqbon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbkdpnil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nohddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbpoebgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkojoghl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4b0e063ee11c58b0ad7099ffd6c2c3278efc9d16c79347ed52cc21584e74df4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eebibf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhnnnbaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hplphd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acadchoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdodmlcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfjnkne.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdaabk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnphfdp.dll"	Eebibf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihnjmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljbipolj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qijdqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmecge32.dll"	Alofnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Celpqbon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chofhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljbipolj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbpoebgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acadchoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhnnnbaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaggbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qamnbhdj.dll"	Bdaabk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gplcia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkcmjpma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikcigkl.dll"	Kbkdpnil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmdqcnk.dll"	Ogohdeam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjigapme.dll"	Ocfiif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqlfhjch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aicfgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a4b0e063ee11c58b0ad7099ffd6c2c3278efc9d16c79347ed52cc21584e74df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimpofjk.dll"	Nohddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfnhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfapgnji.dll"	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nommodjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmpgan32.dll"	Pnimpcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnimpcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaklhb32.dll"	Pkojoghl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkojoghl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mohhea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Admgglep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a4b0e063ee11c58b0ad7099ffd6c2c3278efc9d16c79347ed52cc21584e74df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idekbgji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmgfgham.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaggbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfkfhl32.dll"	Liibgkoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nohddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oabplobe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neibanod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogohdeam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Celpqbon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll"	Cenmfbml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kneibo32.dll"	Fhbbcail.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gleqdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbilmqm.dll"	Jkcmjpma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqfilgbn.dll"	Jmgfgham.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peiejhfb.dll"	Nommodjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbpoebgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aicfgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imlkdf32.dll"	Kaggbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhihab32.dll"	Ljbipolj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeojifki.dll"	Mohhea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocfiif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afndjdpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Chofhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liibgkoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbkgog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fabmmejd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nommodjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhonm32.dll"	Neibanod.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2900	2772	a4b0e063ee11c58b0ad7099ffd6c2c3278efc9d16c79347ed52cc21584e74df4.exe	30
PID 2772 wrote to memory of 2900	2772	a4b0e063ee11c58b0ad7099ffd6c2c3278efc9d16c79347ed52cc21584e74df4.exe	30
PID 2772 wrote to memory of 2900	2772	a4b0e063ee11c58b0ad7099ffd6c2c3278efc9d16c79347ed52cc21584e74df4.exe	30
PID 2772 wrote to memory of 2900	2772	a4b0e063ee11c58b0ad7099ffd6c2c3278efc9d16c79347ed52cc21584e74df4.exe	30
PID 2900 wrote to memory of 2828	2900	Eebibf32.exe	31
PID 2900 wrote to memory of 2828	2900	Eebibf32.exe	31
PID 2900 wrote to memory of 2828	2900	Eebibf32.exe	31
PID 2900 wrote to memory of 2828	2900	Eebibf32.exe	31
PID 2828 wrote to memory of 2848	2828	Fhbbcail.exe	32
PID 2828 wrote to memory of 2848	2828	Fhbbcail.exe	32
PID 2828 wrote to memory of 2848	2828	Fhbbcail.exe	32
PID 2828 wrote to memory of 2848	2828	Fhbbcail.exe	32
PID 2848 wrote to memory of 2680	2848	Fabmmejd.exe	33
PID 2848 wrote to memory of 2680	2848	Fabmmejd.exe	33
PID 2848 wrote to memory of 2680	2848	Fabmmejd.exe	33
PID 2848 wrote to memory of 2680	2848	Fabmmejd.exe	33
PID 2680 wrote to memory of 1892	2680	Gplcia32.exe	34
PID 2680 wrote to memory of 1892	2680	Gplcia32.exe	34
PID 2680 wrote to memory of 1892	2680	Gplcia32.exe	34
PID 2680 wrote to memory of 1892	2680	Gplcia32.exe	34
PID 1892 wrote to memory of 1980	1892	Gleqdb32.exe	35
PID 1892 wrote to memory of 1980	1892	Gleqdb32.exe	35
PID 1892 wrote to memory of 1980	1892	Gleqdb32.exe	35
PID 1892 wrote to memory of 1980	1892	Gleqdb32.exe	35
PID 1980 wrote to memory of 2064	1980	Hhnnnbaj.exe	36
PID 1980 wrote to memory of 2064	1980	Hhnnnbaj.exe	36
PID 1980 wrote to memory of 2064	1980	Hhnnnbaj.exe	36
PID 1980 wrote to memory of 2064	1980	Hhnnnbaj.exe	36
PID 2064 wrote to memory of 2372	2064	Hplphd32.exe	37
PID 2064 wrote to memory of 2372	2064	Hplphd32.exe	37
PID 2064 wrote to memory of 2372	2064	Hplphd32.exe	37
PID 2064 wrote to memory of 2372	2064	Hplphd32.exe	37
PID 2372 wrote to memory of 2924	2372	Ihnjmf32.exe	38
PID 2372 wrote to memory of 2924	2372	Ihnjmf32.exe	38
PID 2372 wrote to memory of 2924	2372	Ihnjmf32.exe	38
PID 2372 wrote to memory of 2924	2372	Ihnjmf32.exe	38
PID 2924 wrote to memory of 2528	2924	Idekbgji.exe	39
PID 2924 wrote to memory of 2528	2924	Idekbgji.exe	39
PID 2924 wrote to memory of 2528	2924	Idekbgji.exe	39
PID 2924 wrote to memory of 2528	2924	Idekbgji.exe	39
PID 2528 wrote to memory of 2304	2528	Jkcmjpma.exe	40
PID 2528 wrote to memory of 2304	2528	Jkcmjpma.exe	40
PID 2528 wrote to memory of 2304	2528	Jkcmjpma.exe	40
PID 2528 wrote to memory of 2304	2528	Jkcmjpma.exe	40
PID 2304 wrote to memory of 768	2304	Jmgfgham.exe	41
PID 2304 wrote to memory of 768	2304	Jmgfgham.exe	41
PID 2304 wrote to memory of 768	2304	Jmgfgham.exe	41
PID 2304 wrote to memory of 768	2304	Jmgfgham.exe	41
PID 768 wrote to memory of 2404	768	Jfddkmch.exe	42
PID 768 wrote to memory of 2404	768	Jfddkmch.exe	42
PID 768 wrote to memory of 2404	768	Jfddkmch.exe	42
PID 768 wrote to memory of 2404	768	Jfddkmch.exe	42
PID 2404 wrote to memory of 1812	2404	Kbkdpnil.exe	43
PID 2404 wrote to memory of 1812	2404	Kbkdpnil.exe	43
PID 2404 wrote to memory of 1812	2404	Kbkdpnil.exe	43
PID 2404 wrote to memory of 1812	2404	Kbkdpnil.exe	43
PID 1812 wrote to memory of 1292	1812	Kaggbihl.exe	44
PID 1812 wrote to memory of 1292	1812	Kaggbihl.exe	44
PID 1812 wrote to memory of 1292	1812	Kaggbihl.exe	44
PID 1812 wrote to memory of 1292	1812	Kaggbihl.exe	44
PID 1292 wrote to memory of 2552	1292	Ljbipolj.exe	45
PID 1292 wrote to memory of 2552	1292	Ljbipolj.exe	45
PID 1292 wrote to memory of 2552	1292	Ljbipolj.exe	45
PID 1292 wrote to memory of 2552	1292	Ljbipolj.exe	45

C:\Users\Admin\AppData\Local\Temp\a4b0e063ee11c58b0ad7099ffd6c2c3278efc9d16c79347ed52cc21584e74df4.exe
"C:\Users\Admin\AppData\Local\Temp\a4b0e063ee11c58b0ad7099ffd6c2c3278efc9d16c79347ed52cc21584e74df4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SysWOW64\Eebibf32.exe
  C:\Windows\system32\Eebibf32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\Fhbbcail.exe
    C:\Windows\system32\Fhbbcail.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\Fabmmejd.exe
      C:\Windows\system32\Fabmmejd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\Gplcia32.exe
        
        C:\Windows\system32\Gplcia32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\Gleqdb32.exe
        
        C:\Windows\system32\Gleqdb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Hhnnnbaj.exe
        
        C:\Windows\system32\Hhnnnbaj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Hplphd32.exe
        
        C:\Windows\system32\Hplphd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Ihnjmf32.exe
        
        C:\Windows\system32\Ihnjmf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Idekbgji.exe
        
        C:\Windows\system32\Idekbgji.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Jkcmjpma.exe
        
        C:\Windows\system32\Jkcmjpma.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Jmgfgham.exe
        
        C:\Windows\system32\Jmgfgham.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Jfddkmch.exe
        
        C:\Windows\system32\Jfddkmch.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Kbkdpnil.exe
        
        C:\Windows\system32\Kbkdpnil.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Kaggbihl.exe
        
        C:\Windows\system32\Kaggbihl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Ljbipolj.exe
        
        C:\Windows\system32\Ljbipolj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Liibgkoo.exe
        
        C:\Windows\system32\Liibgkoo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Mohhea32.exe
        
        C:\Windows\system32\Mohhea32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Mheeif32.exe
        
        C:\Windows\system32\Mheeif32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Mlgkbi32.exe
        
        C:\Windows\system32\Mlgkbi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\Nohddd32.exe
        
        C:\Windows\system32\Nohddd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Nhqhmj32.exe
        
        C:\Windows\system32\Nhqhmj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\Nommodjj.exe
        
        C:\Windows\system32\Nommodjj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:360
        
        C:\Windows\SysWOW64\Neibanod.exe
        
        C:\Windows\system32\Neibanod.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Oabplobe.exe
        
        C:\Windows\system32\Oabplobe.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Ogohdeam.exe
        
        C:\Windows\system32\Ogohdeam.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Ocfiif32.exe
        
        C:\Windows\system32\Ocfiif32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Oqlfhjch.exe
        
        C:\Windows\system32\Oqlfhjch.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Pbpoebgc.exe
        
        C:\Windows\system32\Pbpoebgc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Pfnhkq32.exe
        
        C:\Windows\system32\Pfnhkq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Pnimpcke.exe
        
        C:\Windows\system32\Pnimpcke.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Pkojoghl.exe
        
        C:\Windows\system32\Pkojoghl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Qijdqp32.exe
        
        C:\Windows\system32\Qijdqp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Afndjdpe.exe
        
        C:\Windows\system32\Afndjdpe.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Acadchoo.exe
        
        C:\Windows\system32\Acadchoo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Alofnj32.exe
        
        C:\Windows\system32\Alofnj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Aicfgn32.exe
        
        C:\Windows\system32\Aicfgn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Admgglep.exe
        
        C:\Windows\system32\Admgglep.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Bdodmlcm.exe
        
        C:\Windows\system32\Bdodmlcm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\Bdaabk32.exe
        
        C:\Windows\system32\Bdaabk32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Bmjekahk.exe
        
        C:\Windows\system32\Bmjekahk.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Biqfpb32.exe
        
        C:\Windows\system32\Biqfpb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Bdfjnkne.exe
        
        C:\Windows\system32\Bdfjnkne.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Cbkgog32.exe
        
        C:\Windows\system32\Cbkgog32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Celpqbon.exe
        
        C:\Windows\system32\Celpqbon.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Cenmfbml.exe
        
        C:\Windows\system32\Cenmfbml.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Chmibmlo.exe
        
        C:\Windows\system32\Chmibmlo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\Chofhm32.exe
        
        C:\Windows\system32\Chofhm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acadchoo.exe

Filesize
320KB

MD5
43124de3ee4bfdf241be76384e85e2e7

SHA1
07933d314243d6137b2c7d2862fd184384a84be5

SHA256
765e0cf0554026fabc62849fd0cc71157a69bb3fee7af09bfdfcfb9e0a1fd79d

SHA512
0343b61462cd84dbfd6e671b4ae29fc2f8238387f803b679451e5589c0b4deed36add20a93a7f7ac2e2e003c9edb7e962274405dda7b9223092bded843848fe8

Download Submit
C:\Windows\SysWOW64\Admgglep.exe

Filesize
320KB

MD5
8ee89d0c897a180860e0785966ab65a5

SHA1
588f17d32349db84e5f280aa6220618582cb2328

SHA256
122e0aa7d698bb79bb39940d4810e14c67577da439c7b21fbd5c5233dfaf47d0

SHA512
771b11cd2b03742cdc9203a30e16536896e17f53639848d0e463a8a99acbd40329419945d8546b9287a0cb886c756fea2527d232ea61d2bb979f417cd08d79bf

Download Submit
C:\Windows\SysWOW64\Afndjdpe.exe

Filesize
320KB

MD5
700731f069a85669c09f95e7de57dcbb

SHA1
0d045a0df70cef7f40d869242ce09bedd35d771c

SHA256
92e876f55e43d4bdcdaaec7d9699b0c5bdb2e3ba75c173327d48320022377fd3

SHA512
91d2eb43473af6a41c1175b697dc700caa04fa2dd2c6b622e556e0f579452738dbc65328328d953359761c451d28a78bd99842c8cca8eccaa3fcbe5d2316ddae

Download Submit
C:\Windows\SysWOW64\Aicfgn32.exe

Filesize
320KB

MD5
2a0e5c63b4744c04d7fb7f38fcc61ca6

SHA1
379ff8b4d3b7e67e680a0fe39056b62f61c2313a

SHA256
e821a65d4d983be220ca3d2f20e6672ff3133fd37d3aef8e0884edb4c6ee8814

SHA512
a179e8b9927b6089e2b1a7efc92cbb3bfe4631f02806a53d54593831e00c49e652be54b357bee86baae694f52863b1ad92a795078371dd39918b171cc0f7c18d

Download Submit
C:\Windows\SysWOW64\Alofnj32.exe

Filesize
320KB

MD5
bef12c0292a8d4f88612364e60f03df2

SHA1
d8d77671048eead8eba81aea7ba94ba9ffaa9c63

SHA256
00c8547c0b401b0e250ced3d9daaf1016f29fb0705c291ba90ee67db974568de

SHA512
1b78c636e31fc8c42246f94da947a324e4063be94000cf7e7aee92e0cbbbeb5cd15f549c278a1d78d4ec5df4d9e6ceed8ccda1891230add284a3e760726e56b5

Download Submit
C:\Windows\SysWOW64\Bdaabk32.exe

Filesize
320KB

MD5
49386c38a03ae73274f19922f0ed8004

SHA1
4541f9dc00b8a3b7ea80bf3dc8fca7f114500611

SHA256
aaa36185ef67c6765f9afe5cae9ba8a6f2f8d52d4327a8ec3b727f06f87b1781

SHA512
5f47c419eb4f17fee6d1b51e5580278646e9871eb38fcf79f671607577e90d2f3a8df26e8e8e53ac013d5d6fa6095f98d1388e24a868d65900b738e729c3059d

Download Submit
C:\Windows\SysWOW64\Bdfjnkne.exe

Filesize
320KB

MD5
fc589af3acd9cd838a5f44a810410448

SHA1
73927d5ee7fabc3ff657f650345e4ad86ad30b3c

SHA256
60902137e6c68ddf9ac12341502c7034c0e9cca1ead5f9103121218a64f28fb2

SHA512
8ae2f25068cb6e6d1eec1c0fd42a9ed436dcd4f53bdfb0cda0d797e168417c9188a413cf97dda1342b8f9eea299568c63913521a89d4a247ed4c146fbe700cb5

Download Submit
C:\Windows\SysWOW64\Bdodmlcm.exe

Filesize
320KB

MD5
919bbd10d9fa301f0ace2820d21a9fd4

SHA1
ec3bd62e9bf6bcbf938271af953ec057530728b3

SHA256
9a793f00f9ec53f13d6c6db7d5c88ed3696705c2aa19af10d27829fbcd93afca

SHA512
1f592450395ee438999f5070caa0ba5362bb2e8c15ea30800594541d9f4b68afde2dfb9f18fdf3751b22ea5af43fabd61ef291220508217230a45d919a7e09ed

Download Submit
C:\Windows\SysWOW64\Biqfpb32.exe

Filesize
320KB

MD5
cf40b603939690b79861fc49ac3b3567

SHA1
8bfe42541ce336e30f8fd24abade3ef9cfce82e6

SHA256
220e59d1d282aaae374ab57a60ae2f3ca6d4618b6343dc8dff26e93ef91938aa

SHA512
2f669137113d17b30b376b685dd3b8f204af92289b515299ad0b10e8144a521fb42ffd3ab02fb81c400e1d15e516b582cac9f319568e524566087c14ba5af52a

Download Submit
C:\Windows\SysWOW64\Bmjekahk.exe

Filesize
320KB

MD5
809b71eaa6d728d0cb147997c14aeb96

SHA1
0184ce6892493f0082f040dca526266cb8b8dac3

SHA256
dd540675297857d08cfef21c59518ff53af9b253e6c3a0d5e98716161e90b87e

SHA512
fb04ebfa3da9b580148d7df53e5d62bb284a574695a729192b79e25a7fccb91443c0eb6837a07cd1911d906566c8a0345d33fba67f72dece39c5536ab2e805dd

Download Submit
C:\Windows\SysWOW64\Cbkgog32.exe

Filesize
320KB

MD5
dd1cf5989e6950691d219861b09eadeb

SHA1
5c5100c7c7f36dc9ed9e61fea2aa7b497a40b216

SHA256
8f28bbab4b78478221ffaaf62924a7ac5d8dfae58d272293a13cb75bb1d12d9c

SHA512
5a1fcddf0dcea7849aad1ca3b288d6f5d653de6c772fe9727e8336c5ea80e7a1a3e2aa21230cc996703b6f2a74df02757ffb4da5b00d5f46a3afbd3b148b77e5

Download Submit
C:\Windows\SysWOW64\Celpqbon.exe

Filesize
320KB

MD5
934fcd40cfecb7600960147ad1cdd02b

SHA1
b560ccbd4cbdc82bb140f84731f289a45bb174a2

SHA256
a0f1f828e9f97308c14c49e05e4d797a09e75e31eaf2114dede450d1fb4b38cf

SHA512
bfb132f110ceaa704232870740bdcc7a851f821e3a037e4d22e7291911e7acc1a97462326ee017f92b5ad6da1caa5d51443d8af0ee449d7ca9ca951367cc7610

Download Submit
C:\Windows\SysWOW64\Cenmfbml.exe

Filesize
320KB

MD5
89f2a7ca5dae74b4eba40d63813bd0cf

SHA1
40189d5edae46e0d27a9998f5d0005d31e19b47a

SHA256
54ed4ca8e9eee029e3d401e817a5317d82c1af3f73f7632997ba2226240dd4fb

SHA512
3d7e07c7ecb2db21e71d753c299c05971bc9d20ee97447fd6d4a0b17c65619563d0cddafce1b62c9443e33956f797773fad778576ceea28e10d4580f586913b8

Download Submit
C:\Windows\SysWOW64\Chmibmlo.exe

Filesize
320KB

MD5
33f1d52aef444d04347c83d76821abe2

SHA1
6c666d732ee64032423e9bc87bcee502f337c298

SHA256
815a38da5eca3e25a3c06ea3bf93d65b4816071dd5de8bf85adeba563ef710f1

SHA512
da91f4455ef6804234c14c085fc95ee5754ccdacf05676a3f08351e85da60fe0a5dc901479058eeb9d0dec754a66ed29a4e9dcd7c427715ad89d086e2d0b7c1f

Download Submit
C:\Windows\SysWOW64\Chofhm32.exe

Filesize
320KB

MD5
5d73e6b8f7f039a06b152a1221fb4f4f

SHA1
3f84c6658b2e360825a080b24879fbae383da506

SHA256
1c0484c7d32d41dff8ef49fa5fca767bf99c281c73ee4e3ffe5f8b18ac38465f

SHA512
ae0c387823792c1aa4f1e88e6dad92e8ff6b3cd56400e16f7d294ce249fcfe7acb772f03bb44a04667dcfb80fd870b8782fda898a30360c0d7dbee8e07646c79

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
320KB

MD5
baa7ed0d34b434c65c1d9325ca74d137

SHA1
07a08eee2563180ad2b504e2648c3bc96f7f2f7b

SHA256
d1521a2e291a4275894332b8bd06a30d501b26f55e96dd7698cb19e8620abc09

SHA512
3b1cad00567f9a9f8fa45d59cb74cc4696ddd0c5b70c28292853caae0690a3eb5cd8c7937b5490d92bd62e382046324f84e5eaa688d824df70a3b0a64a59d90c

Download Submit
C:\Windows\SysWOW64\Fabmmejd.exe

Filesize
320KB

MD5
45f2f409167c37e153e943651f7836e0

SHA1
b5432e5257483cae4543f20967a00c1eb2e97fd3

SHA256
d4de42e5864a9115552443379beddc48cf5909283d74fb70c3e57f123a528d0a

SHA512
fc7bcf456422801802a3c85e9bcdaa78421c29476e2bf128d7959d3783ef900d6c45ae3f19f4193bdff0d860ea85440f32537eb2462d3a0871868e3c825318ca

Download Submit
C:\Windows\SysWOW64\Idekbgji.exe

Filesize
320KB

MD5
3940d98c17f48fae3564ae7405c69a0c

SHA1
f8d9fcf387dd6f283eb82f4cc1a003a23918b943

SHA256
5d7c90f1499ea31178ae162526a2af01220395d45b6fa3200b9547f960564f52

SHA512
1f51763dcf4dcfba6da5f4f22b51a0d49a2d47aff511ed2a15cb037cd382df9dfa1283d81fb9ace57805ef5e2db7b582281118921fbb70901488c95dc4006053

Download Submit
C:\Windows\SysWOW64\Ihnjmf32.exe

Filesize
320KB

MD5
dbad12edef98f062943767282e2eb823

SHA1
6c9428ff5e35f54cadd40e664b51a3876cde4f39

SHA256
ef357766113f95bf2a18709c77fa4759fa54a5c55dc242f8ffd61356f91a2ba0

SHA512
e1c2e252a49c63ac90a36b2164cf8832725a02360aa998a50a758b894457894d7c2e1bf0a3256beb5891212b0df5fed7ad00ca82084a7b2f4c78c9356017ff66

Download Submit
C:\Windows\SysWOW64\Jkcmjpma.exe

Filesize
320KB

MD5
fa88685fb967e2902a961b37ce2edf82

SHA1
025effd4ed3c2c4917cfd3fe7feb591ab2c63af2

SHA256
a785327b74209d256f1dff3822040c62e48e182b64d23f48d3717d6a3a3c903f

SHA512
b34a7aa871a571922b78fae88fd0e14f6c20b388c0a14c89725da36788afa5cebc992c7455228cda79aa95bcf3b3458cc2b49ee095549fd50ececeff1fa86de8

Download Submit
C:\Windows\SysWOW64\Jmgfgham.exe

Filesize
320KB

MD5
5de2d82032aaee20122a3c7fd3462b19

SHA1
00bb68897d7b13c78fc789ef910bcef1ecf8cf03

SHA256
e1a0501fca0668ca4d9ca243db8da275e8faba3fb09d99b021ab824332bbdb5d

SHA512
25338bd493924d92f32c1c532e66d33f118daa1d4923a91805b6bee163c46f299864104c16d4c166733c253baf593bf5c4d59d1f57be4b71aebea239b7885f05

Download Submit
C:\Windows\SysWOW64\Mheeif32.exe

Filesize
320KB

MD5
3b0e79d45918376c02574fa085ee65b2

SHA1
56d1be9fcd7a860dea32e8b5f9893efa4160500e

SHA256
45614600ed0534a39516a19398b26a47123d99f6e54e1c0dbfc16aed9769e694

SHA512
98d88a755b8f8009b23df085f645a27d0717898c2c212cd584dcec6a460bb56749725ef5c63fb3ef48d3db6470751c48620623d939d12c526241ab9dec837f66

Download Submit
C:\Windows\SysWOW64\Mlgkbi32.exe

Filesize
320KB

MD5
e59c086a466588e7f008b1cf5571ae6a

SHA1
a7c5d353ae87421293603b4705fd5100bc4357bf

SHA256
95b1c1849d507b76324a069712aad547dcbf16ca8a2e9a637cf0e78a6c13300d

SHA512
da1cd304ba8477218c51f398979e0a7f6f4e5df6071ce94eeb4cf7debefe564d96d56449858d46b88dbc5ff31c5399c146b81db0b9d1b691a670f9a28cb12c79

Download Submit
C:\Windows\SysWOW64\Mohhea32.exe

Filesize
320KB

MD5
6aea0ae02eb98f2cae4f32ea32c797e5

SHA1
8ee77f4099ed019755cd85eb0bf86b33ff0de405

SHA256
64f76b3420d43a6a5105de86630ab04fa833c1fa96a5ae2a8960892340d936b8

SHA512
83ddb96233ca7d72d77983488ea7d3d898f2e7b1c45408ee7c4939d67abfba25f8a650757d97c95d1cd30a55c91e49560eb01f54ca9fdc2dc56a825c702ea8ee

Download Submit
C:\Windows\SysWOW64\Neibanod.exe

Filesize
320KB

MD5
793c6477de630fac465cf90a42844ca9

SHA1
2586d260d40f3de034695ddd164e361f7b214760

SHA256
bee35a703c51f18f2d9ab355a3c1d7f7db9e7f70380400f3c527f44b0e1682dc

SHA512
bd4fd5a4f5f02d8984abecced33d73a6672e34baaf517f44cf1e6e09a4df93ce6bd488607af8c59af4f658a36d00b968b0476ea86ee6e31538190c7fd7bce96c

Download Submit
C:\Windows\SysWOW64\Nhqhmj32.exe

Filesize
320KB

MD5
4c485fb5ec533aaec48311a11551f70b

SHA1
7fb5b6c73f5b724d74fb284fac9dbb470f92696c

SHA256
4142d41fab9bfff37a2b4287bd4b78539a4f846b030a029443644347391c8abc

SHA512
6995259e0a861b2cb6558faf15d7935ed6389d762ea0aefc9105df8c80deaf6fc90f832580f9695fc1aaf6e106f60875941ad7eb34b919a2470e89e7573aea52

Download Submit
C:\Windows\SysWOW64\Nohddd32.exe

Filesize
320KB

MD5
2c51912ac978793e56306c6cc06239ac

SHA1
0b06458ea1b5a0b66b6c6915e692a9f29777f325

SHA256
2ae08ee0dd321efd2870a472e1cd24778f737b8d2245be9183f52625d892a517

SHA512
6192d5e8255a9791f81aae8a186d7747d7579e7fc02c2a3eeafe2bba0b7be562872aa87f3d8af97e4519fb4d63d4b57eaf778dd236c30d3881d49205745b610a

Download Submit
C:\Windows\SysWOW64\Nommodjj.exe

Filesize
320KB

MD5
96fe26c555608818d337b07350020681

SHA1
a8382f11ef3bde2a3e2efae7a807d907fdfaf3b3

SHA256
f6c8042277c733ede4dd85ac301eaf208cf3aab2447c899cc60d763b1551fd5a

SHA512
18fa15bdf1bd5ae77313640ac00f6c6f85fea352388dc6e186ed302bda3a8897340f1735d57e35b641ee87fd77220e8c8a873b17ab3ba94c13c8b32c879f458c

Download Submit
C:\Windows\SysWOW64\Oabplobe.exe

Filesize
320KB

MD5
25d7fba52e21254997a880d5e29b3f28

SHA1
c45bf8501c528bc9cac196fa38165357418fb581

SHA256
dc37b386cf2d41f6f1e40ce0ec32430dfc7e3bd12d0bdb96ad93e6cc5cfbcc6c

SHA512
98f2da3ea80784ec399869bfb5a7ea6174e4bd9cabea24d75bd20abf9b307f614abd35795d0f2ca694478a182787e6f75483cf1e1d916974a138a9e0c166fde4

Download Submit
C:\Windows\SysWOW64\Ocfiif32.exe

Filesize
320KB

MD5
d9eed6bf119aa57a9f875aca42a56cb5

SHA1
15b973ba7a8ea4124fce55e9930ff1d7afdfa688

SHA256
2c158e00fb61007578e73bdecbde106315863903ecf144200db5e11b40534b68

SHA512
c9f52edc799a2574453a725172f5ffc5a7304af66df20f746ba79054b36ef53e06654ff86a464f5982bb45fe422490ff6948f9e84a16332012241beb00d89f8f

Download Submit
C:\Windows\SysWOW64\Ogohdeam.exe

Filesize
320KB

MD5
cdf43dd4880ab53fc037ccb8ab276255

SHA1
136fba00743ad8997010b7a84f3cad1caa7a40d5

SHA256
67f5b3dd1f6e515498885126ca97c6e9045636f71a3151cf0f7caff3a7c14eb7

SHA512
0d31ef35210d1236f1bbbeecb38df5c373377acf9945d9ff4060c4417a31e9d707799253f3d643485c13fe1d1eb9de1c6e82e260822d8b1dfa110539a4e25989

Download Submit
C:\Windows\SysWOW64\Oqlfhjch.exe

Filesize
320KB

MD5
874be3de0955f84fe5c2c2861217614f

SHA1
5860dd2823bba61c786790ced9d26368e5ff3e93

SHA256
d608ef291b8c7f81d9f2f69cb41ce9317c2398969f4ee78c131ee50d26f7fbaa

SHA512
dac8ddc249933c072cdec461d40f3695687d93eb25090781529cd24d33d30cf0283d3569b6aac55c13421f8159c1c9a4fac10a7d8884dbb4a63ecc8eabe4f4a4

Download Submit
C:\Windows\SysWOW64\Pbpoebgc.exe

Filesize
320KB

MD5
c5b8a8eb984fd6e58e7c0fc86215c4c7

SHA1
c7100bd2bb19c4629a72971b79eb2ff2445438da

SHA256
8edbaa1e4bd6f0107690b9c60ae2d897e8134258b8cbec69bbad8d983f5c3216

SHA512
d70d159de1baad31a6f1bc08722af5ac871cff5a61519c70362aa3b20ea76543ec321df704d8728c53dce989381877f579ca78f8cc3162091e195300bbc33140

Download Submit
C:\Windows\SysWOW64\Pfnhkq32.exe

Filesize
320KB

MD5
e3def634b22998c5426b12700db68c7f

SHA1
58bc380281258c9d8a8209fde87cca7b86464046

SHA256
00c82ee7c26abffd18453890d9614db14db4fdf579292e8188f06e647bcf17b4

SHA512
90f9d3c416cc3575bfadc72d3c9813fe58b16c86246e458f58a4f1f4e9ccaad74015151e5b78acfca6af87f175c0d8293b21cd1d98753abfacc4835cff1f558b

Download Submit
C:\Windows\SysWOW64\Pkojoghl.exe

Filesize
320KB

MD5
ddf1fcb38c418d44f96be4cb5b0d2887

SHA1
ca17160865dcfff1e2bafac233052092fe0c1218

SHA256
cd34a765fb4887ae9062dffe871f4b38c59c3c4e09166a9c7a49288a65b5d82c

SHA512
fb88c06bdc009a570cdda131480ab1e1158a398c51114d3f3225462bd23e8f4528a8705084fcf427816b3c714c041ac4566d113ad957986607e38016175fcc6b

Download Submit
C:\Windows\SysWOW64\Pnimpcke.exe

Filesize
320KB

MD5
42977b41b18da3c36f86e58c8036ea9c

SHA1
3f687b4a30f674f83daa3bcdadfee09f2abbf64d

SHA256
ccc5d59cf4faad9c3217d7a05e2d88b64956c4683ee54062f220c2d6ead02a95

SHA512
99600ee2255465e4abfbd60e3f6594c72f4aa406943288b399453c47cd1bc03f1dc4da2c091423ea9222b1bdaae732d501d81c605641aec7c43a7c0f32eecc8c

Download Submit
C:\Windows\SysWOW64\Qijdqp32.exe

Filesize
320KB

MD5
2a68e6087f77a333795200956ed00a16

SHA1
24f1d5db6df80645309268a6b1b7e15033ad2240

SHA256
96272944c2f4cfd6af92c1731102ed697650df7c7729d6959425439a935b689c

SHA512
b065b0551dcfdd1767980585f2e73adfb015e1f27dab06118972a7c35f3eaed236db9df302ecd8ecbb006834f3c20ad1ecf92592d2ded05714d8808ca0658792

Download Submit
\Windows\SysWOW64\Eebibf32.exe

Filesize
320KB

MD5
8017475e6f804755261fe8811ea5a7e8

SHA1
228764ef343bb208900caacb35f7c45315a92cf1

SHA256
ec9f7539bfdaff988306215eb426c5fa4040fe23dce989d6283692a11e0a995f

SHA512
d038c0a268b114e04f5d9015e0746839cbe4ed1b9a993dfa28d579730288be11aaf3b5d3e444f8dd7acbb0d53f6c737bd5e48b34dfcc4c129b67df9e5b5f6be4

Download Submit
\Windows\SysWOW64\Fhbbcail.exe

Filesize
320KB

MD5
34627e40b05a81826525b99ac4657661

SHA1
122c3c2d0b87fb8d4b125e450754d421efd722d6

SHA256
6665aa851783329e4ec0b6b4e02171a3644fc00f2d3a82a2607801337a6fa49f

SHA512
fbb214765790159c0ce29e6f4ea9e39f124389f79064c120c19557e42f40d14b28203bd5926e8dd87da667c01bf70573fecb1bbe782976206acab83db0e1f680

Download Submit
\Windows\SysWOW64\Gleqdb32.exe

Filesize
320KB

MD5
0ad9c19874cebd4ec88cb1eca9a801a0

SHA1
40296f6a45a1506b8317c7a046ff18c8d536a7dd

SHA256
9dcbfbc10be3a95ca6b4e8d51ca5d5f65fa98edb05c1688d2d6d008211d13e78

SHA512
8cea663844f222d68215d9c8337eeb098c4e8bbe7587dafef6e04af606dc9c770b8e0207e85cfe0604bcc9fd3a256d2c9464045961b94873814c620d06015351

Download Submit
\Windows\SysWOW64\Gplcia32.exe

Filesize
320KB

MD5
3a57503e286ce9c0864379cbcf6c68d7

SHA1
45242621c299a82c9274962b44d4796bec30c020

SHA256
f5febeb71753b2a10622d9297c187d28571ba658d7e4bdafc6822962a7a17152

SHA512
40693bd68d7110f58f0f2932c6b852810e05e9a8832165280fc5aea7d2da9564255fd70bd8fde76a7fac7634a6ffe2dce92460894d0b136447bdc2e1ac606626

Download Submit
\Windows\SysWOW64\Hhnnnbaj.exe

Filesize
320KB

MD5
04d8c0036d4b914df23089db6ae56ce7

SHA1
e4ffe68da8dd068d6c09a119ab9bd8b08ada6efc

SHA256
eea239db1bf0b8d7e5d715aba749f2dc2da81582a5988a5eed1f12cffddf6521

SHA512
597e21d17b592ee5b7ba688c0a93623c24c72b481873cbcb8f0b2956e332029681d73c98956b5d3ca21fbf91997e1ee0343ac6f220b7c54bdeb470bcc6f2ecbf

Download Submit
\Windows\SysWOW64\Hplphd32.exe

Filesize
320KB

MD5
c27093ef864d258b3098e65c33b0af65

SHA1
49cd51e4bb89af82d81ddcf185fb77604d8084a7

SHA256
e742bffb5c2b856ee05cb7f80fe5f5c14ce615a775972bd83a617d1c56ad161e

SHA512
f309ca96727c03504d81e1b68b784f6d630aaf43e2ac36e3dba3f6b158c3f5be0745d8c99a83e58d4186bff1e927ab338e1e7b7ade8d22086afe94246b0aa3c9

Download Submit
\Windows\SysWOW64\Jfddkmch.exe

Filesize
320KB

MD5
83376a6419ee25cffbace21ce8019ab1

SHA1
65316d9d6d1f0778dca0ec91931aab7724d2a207

SHA256
0f1c5e76c886f22deca082c0b7aa238a3b1fb0922cbbc163ada20a9946408e73

SHA512
29903a1e64767a66685dd5fe45221bfe4fe321412f8defa33b4b9bd9c28880b389a2423aaa6abb268593dfc501a186da520de888166f694699ce275ae2c95fe7

Download Submit
\Windows\SysWOW64\Kaggbihl.exe

Filesize
320KB

MD5
0057f76d5c61b6205734b1d2fff26168

SHA1
5bb98dbbaf98c0c921939802d96e4308c6aca543

SHA256
a4af44057ac4b58b10c45db37e08990e0eb51231e261647baa935e761b92613c

SHA512
0d15cc89c56a969484540f7f158a446995143735528bed5c0f0b7d717646dfb95bd92867ab2161baeaed573c58e0ea66869afd0aac4fda5e50ba83caccea3a44

Download Submit
\Windows\SysWOW64\Kbkdpnil.exe

Filesize
320KB

MD5
a573c7f629389fff2569dc86420d3255

SHA1
2387e27a4f3afd5e58ec9f81969aaee189438c66

SHA256
286b6eee7956c70508ac761e1b33fedd170ffc83b0c6d7ae7b590103614aba29

SHA512
e0d74e892e27386d25eab8881bebf7602c5887210c24066517abef83eab0f3334125de2d59b8ff0e0bd33ec6edea754517918a9e37df724bd1cc95fb64792423

Download Submit
\Windows\SysWOW64\Liibgkoo.exe

Filesize
320KB

MD5
dfab67ac5e11ff0ebd1f12dd0301ea11

SHA1
bfd2957d1b65facebba5d85aa76457bb1c803277

SHA256
a8e814b59f46c090e73c4926685d36e003b812fdb4f72c8b6217d5b416f48233

SHA512
04f164ac4c5887f7002e14795e7af6f6f78e79c3519c5522ce0fa9ffc559aef66271bb587522a569463c774011100a759090c7a6c0e2e619733a5e7936510770

Download Submit
\Windows\SysWOW64\Ljbipolj.exe

Filesize
320KB

MD5
d687cdfffd7a49231aaa9d9f29fe7ace

SHA1
24291de0e0ceaad13e2b96b6a9791bab63053d6c

SHA256
06b3c8e23994765fde9d50271dc63786c0fc22ea1949c4ef5b7c6bb2acd8cf0e

SHA512
01695d8d8ca524e099dacd7df5f064fdc082bc7ea1fa9d712857fe355403bd1da66792a3a435e637da725ae337d54b3e11bded30e5f82579c00d41630545c376

Download Submit
memory/360-298-0x00000000005F0000-0x000000000064C000-memory.dmp

Filesize
368KB

Download
memory/360-293-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/384-405-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/384-406-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/384-407-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/568-281-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/568-287-0x0000000000230000-0x000000000028C000-memory.dmp

Filesize
368KB

Download
memory/568-288-0x0000000000230000-0x000000000028C000-memory.dmp

Filesize
368KB

Download
memory/768-168-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/768-176-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/784-395-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/784-386-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/784-399-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/944-314-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/944-299-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/944-308-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/1116-261-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1116-270-0x0000000001BE0000-0x0000000001C3C000-memory.dmp

Filesize
368KB

Download
memory/1292-218-0x0000000000460000-0x00000000004BC000-memory.dmp

Filesize
368KB

Download
memory/1292-210-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1292-229-0x0000000000460000-0x00000000004BC000-memory.dmp

Filesize
368KB

Download
memory/1492-364-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/1492-358-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1492-362-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/1540-250-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1540-255-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/1540-259-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/1624-236-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1624-245-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/1720-794-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1720-793-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1756-470-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/1768-499-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1788-383-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1788-385-0x00000000002F0000-0x000000000034C000-memory.dmp

Filesize
368KB

Download
memory/1788-384-0x00000000002F0000-0x000000000034C000-memory.dmp

Filesize
368KB

Download
memory/1812-197-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1812-208-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/1892-70-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1892-84-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/1892-78-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/1892-498-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/1980-93-0x00000000006C0000-0x000000000071C000-memory.dmp

Filesize
368KB

Download
memory/1980-86-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2036-276-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2036-271-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2036-277-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2064-111-0x00000000002E0000-0x000000000033C000-memory.dmp

Filesize
368KB

Download
memory/2064-99-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2244-489-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2244-484-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2284-479-0x00000000002B0000-0x000000000030C000-memory.dmp

Filesize
368KB

Download
memory/2304-153-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2304-166-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2304-165-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2356-457-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2356-452-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2364-432-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2364-408-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2364-418-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2372-125-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2404-195-0x00000000002C0000-0x000000000031C000-memory.dmp

Filesize
368KB

Download
memory/2404-182-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2444-447-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2528-152-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2552-234-0x00000000002D0000-0x000000000032C000-memory.dmp

Filesize
368KB

Download
memory/2552-235-0x00000000002D0000-0x000000000032C000-memory.dmp

Filesize
368KB

Download
memory/2664-374-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2664-363-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2664-373-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2680-56-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2680-68-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2772-434-0x0000000000280000-0x00000000002DC000-memory.dmp

Filesize
368KB

Download
memory/2772-413-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2772-12-0x0000000000280000-0x00000000002DC000-memory.dmp

Filesize
368KB

Download
memory/2772-14-0x0000000000280000-0x00000000002DC000-memory.dmp

Filesize
368KB

Download
memory/2772-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2788-346-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2788-356-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2788-351-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2808-334-0x00000000002F0000-0x000000000034C000-memory.dmp

Filesize
368KB

Download
memory/2808-320-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2808-336-0x00000000002F0000-0x000000000034C000-memory.dmp

Filesize
368KB

Download
memory/2828-41-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2828-40-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2828-27-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2848-54-0x00000000001B0000-0x000000000020C000-memory.dmp

Filesize
368KB

Download
memory/2848-42-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2876-340-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2876-341-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2900-19-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2924-138-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2924-128-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2996-419-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2996-438-0x00000000004D0000-0x000000000052C000-memory.dmp

Filesize
368KB

Download
memory/3052-318-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3052-319-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/3052-325-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads