berbew | 6873ce736acc45d3a437f393f85d588b7bd8ee4bf10304227d076d51cba859f7

Analysis

max time kernel
92s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6873ce736acc45d3a437f393f85d588b7bd8ee4bf10304227d076d51cba859f7.exe
Size

96KB
MD5

50438e913d0941d1781044050b44683d
SHA1

0e891e11e36cb18b1f886e49120b55c25d9c456d
SHA256

6873ce736acc45d3a437f393f85d588b7bd8ee4bf10304227d076d51cba859f7
SHA512

b8e3c267c54d5b5b8aa31e107e68b5942fdb3af6b8220e8950e46e3ba396e95d23b559d66fd0dc26281f3d198b1253ad93918e18a0e9fab4ffe52c9d491fdf97
SSDEEP

1536:kVKEgCKJxs4kmSnxFvOGYQJiug7ALGrbXvTaAb4NCBYajUABmkP6Mq7rllqUOcyr:AKEV0EGQckGrbX7HbFBxjUSmkCMQ/9hO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkdbpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klqcioba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbdolh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifgbnlmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipdqba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfeopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmnldp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikpaldog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpeiioac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmhale32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jioaqfcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcbpab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfckahdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hijooifk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiaephpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlednamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgfooop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Heocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiaephpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqcqkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgbco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmhhehlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlnnmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmnldp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3804	Hkdbpe32.exe
1124	Hbnjmp32.exe
1912	Hihbijhn.exe
4692	Hcmgfbhd.exe
1708	Hflcbngh.exe
2236	Heocnk32.exe
1760	Hijooifk.exe
1452	Hfnphn32.exe
1472	Hmhhehlb.exe
2560	Hcbpab32.exe
4592	Hfqlnm32.exe
3748	Hioiji32.exe
2112	Hbgmcnhf.exe
1048	Iiaephpc.exe
4472	Ikpaldog.exe
388	Ibjjhn32.exe
1984	Ipnjab32.exe
4260	Ifgbnlmj.exe
3252	Imakkfdg.exe
4368	Ibnccmbo.exe
4824	Imdgqfbd.exe
5004	Icnpmp32.exe
1964	Ifllil32.exe
2188	Imfdff32.exe
3916	Ipdqba32.exe
4536	Ibcmom32.exe
4948	Jimekgff.exe
3936	Jmhale32.exe
4216	Jbeidl32.exe
2068	Jioaqfcc.exe
540	Jlnnmb32.exe
2084	Jbhfjljd.exe
4448	Jefbfgig.exe
3152	Jcgbco32.exe
4484	Jfeopj32.exe
3528	Jpnchp32.exe
3704	Jblpek32.exe
4064	Jlednamo.exe
2664	Kboljk32.exe
4924	Kfjhkjle.exe
1396	Klgqcqkl.exe
3900	Kdnidn32.exe
2336	Kikame32.exe
4512	Kpeiioac.exe
2944	Kfoafi32.exe
3960	Kmijbcpl.exe
1516	Kpgfooop.exe
1608	Kbfbkj32.exe
1444	Kipkhdeq.exe
4604	Kpjcdn32.exe
4976	Kfckahdj.exe
796	Klqcioba.exe
4076	Kdgljmcd.exe
3264	Liddbc32.exe
4164	Llcpoo32.exe
4332	Ldjhpl32.exe
4920	Lekehdgp.exe
4968	Lpqiemge.exe
3056	Lmdina32.exe
1988	Lmgfda32.exe
888	Lbdolh32.exe
4232	Lingibiq.exe
4952	Mdckfk32.exe
4708	Mbfkbhpa.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hfqlnm32.exe	Hcbpab32.exe
File created	C:\Windows\SysWOW64\Mnbcedcn.dll	Icnpmp32.exe
File created	C:\Windows\SysWOW64\Hioiji32.exe	Hfqlnm32.exe
File opened for modification	C:\Windows\SysWOW64\Jlnnmb32.exe	Jioaqfcc.exe
File created	C:\Windows\SysWOW64\Kpgfooop.exe	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Kpgfooop.exe	Kmijbcpl.exe
File opened for modification	C:\Windows\SysWOW64\Lekehdgp.exe	Ldjhpl32.exe
File created	C:\Windows\SysWOW64\Ifllil32.exe	Icnpmp32.exe
File created	C:\Windows\SysWOW64\Afomjffg.dll	Imfdff32.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Jimekgff.exe	Ibcmom32.exe
File opened for modification	C:\Windows\SysWOW64\Jimekgff.exe	Ibcmom32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Hihbijhn.exe	Hbnjmp32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjjhn32.exe	Ikpaldog.exe
File created	C:\Windows\SysWOW64\Kmijbcpl.exe	Kfoafi32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Ipnjab32.exe	Ibjjhn32.exe
File created	C:\Windows\SysWOW64\Fkgoikdb.dll	Imdgqfbd.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Ojoign32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Ikkokgea.dll	Lingibiq.exe
File created	C:\Windows\SysWOW64\Jfenmm32.dll	Mckemg32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Oneklm32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Jioaqfcc.exe	Jbeidl32.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Hkdbpe32.exe	6873ce736acc45d3a437f393f85d588b7bd8ee4bf10304227d076d51cba859f7.exe
File opened for modification	C:\Windows\SysWOW64\Kpeiioac.exe	Kikame32.exe
File created	C:\Windows\SysWOW64\Ijfjal32.dll	Mipcob32.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Imakkfdg.exe	Ifgbnlmj.exe
File opened for modification	C:\Windows\SysWOW64\Icnpmp32.exe	Imdgqfbd.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Jefbfgig.exe	Jbhfjljd.exe
File created	C:\Windows\SysWOW64\Kboljk32.exe	Jlednamo.exe
File opened for modification	C:\Windows\SysWOW64\Lpqiemge.exe	Lekehdgp.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Hfnphn32.exe	Hijooifk.exe
File opened for modification	C:\Windows\SysWOW64\Hmhhehlb.exe	Hfnphn32.exe
File created	C:\Windows\SysWOW64\Eifbkgjd.dll	Jimekgff.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Hihbijhn.exe	Hbnjmp32.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Hbnjmp32.exe	Hkdbpe32.exe
File created	C:\Windows\SysWOW64\Jbeidl32.exe	Jmhale32.exe
File created	C:\Windows\SysWOW64\Bhoilahe.dll	Jblpek32.exe
File created	C:\Windows\SysWOW64\Liddbc32.exe	Kdgljmcd.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Enoogcin.dll	Hijooifk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5888	5304	WerFault.exe	238

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iiaephpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfoafi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimekgff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblpek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqiemge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibjjhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icnpmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hihbijhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hflcbngh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liddbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lingibiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhfjljd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfckahdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkdbpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmhhehlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbfbkj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imdgqfbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnidn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klqcioba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdckfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpnchp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kikame32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbdolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hijooifk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifgbnlmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbabgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlednamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hijooifk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnhjmp32.dll"	Kboljk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhfjljd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkcfedla.dll"	Hfnphn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipdqba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikpaldog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khchklef.dll"	Jpnchp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglcddpd.dll"	Hbnjmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbbfnk.dll"	Kpjcdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgoikdb.dll"	Imdgqfbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcqcc32.dll"	Heocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbcedcn.dll"	Icnpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhccdhqf.dll"	Kbfbkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qegnoi32.dll"	Hbgmcnhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffhoqj32.dll"	Kfoafi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldjhpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjjhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imakkfdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmhhehlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmhale32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphopllo.dll"	Lmdina32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hflcbngh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibcmom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpmkplp.dll"	Jlnnmb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 3804	2808	6873ce736acc45d3a437f393f85d588b7bd8ee4bf10304227d076d51cba859f7.exe	84
PID 2808 wrote to memory of 3804	2808	6873ce736acc45d3a437f393f85d588b7bd8ee4bf10304227d076d51cba859f7.exe	84
PID 2808 wrote to memory of 3804	2808	6873ce736acc45d3a437f393f85d588b7bd8ee4bf10304227d076d51cba859f7.exe	84
PID 3804 wrote to memory of 1124	3804	Hkdbpe32.exe	85
PID 3804 wrote to memory of 1124	3804	Hkdbpe32.exe	85
PID 3804 wrote to memory of 1124	3804	Hkdbpe32.exe	85
PID 1124 wrote to memory of 1912	1124	Hbnjmp32.exe	86
PID 1124 wrote to memory of 1912	1124	Hbnjmp32.exe	86
PID 1124 wrote to memory of 1912	1124	Hbnjmp32.exe	86
PID 1912 wrote to memory of 4692	1912	Hihbijhn.exe	87
PID 1912 wrote to memory of 4692	1912	Hihbijhn.exe	87
PID 1912 wrote to memory of 4692	1912	Hihbijhn.exe	87
PID 4692 wrote to memory of 1708	4692	Hcmgfbhd.exe	88
PID 4692 wrote to memory of 1708	4692	Hcmgfbhd.exe	88
PID 4692 wrote to memory of 1708	4692	Hcmgfbhd.exe	88
PID 1708 wrote to memory of 2236	1708	Hflcbngh.exe	89
PID 1708 wrote to memory of 2236	1708	Hflcbngh.exe	89
PID 1708 wrote to memory of 2236	1708	Hflcbngh.exe	89
PID 2236 wrote to memory of 1760	2236	Heocnk32.exe	90
PID 2236 wrote to memory of 1760	2236	Heocnk32.exe	90
PID 2236 wrote to memory of 1760	2236	Heocnk32.exe	90
PID 1760 wrote to memory of 1452	1760	Hijooifk.exe	91
PID 1760 wrote to memory of 1452	1760	Hijooifk.exe	91
PID 1760 wrote to memory of 1452	1760	Hijooifk.exe	91
PID 1452 wrote to memory of 1472	1452	Hfnphn32.exe	92
PID 1452 wrote to memory of 1472	1452	Hfnphn32.exe	92
PID 1452 wrote to memory of 1472	1452	Hfnphn32.exe	92
PID 1472 wrote to memory of 2560	1472	Hmhhehlb.exe	93
PID 1472 wrote to memory of 2560	1472	Hmhhehlb.exe	93
PID 1472 wrote to memory of 2560	1472	Hmhhehlb.exe	93
PID 2560 wrote to memory of 4592	2560	Hcbpab32.exe	94
PID 2560 wrote to memory of 4592	2560	Hcbpab32.exe	94
PID 2560 wrote to memory of 4592	2560	Hcbpab32.exe	94
PID 4592 wrote to memory of 3748	4592	Hfqlnm32.exe	95
PID 4592 wrote to memory of 3748	4592	Hfqlnm32.exe	95
PID 4592 wrote to memory of 3748	4592	Hfqlnm32.exe	95
PID 3748 wrote to memory of 2112	3748	Hioiji32.exe	96
PID 3748 wrote to memory of 2112	3748	Hioiji32.exe	96
PID 3748 wrote to memory of 2112	3748	Hioiji32.exe	96
PID 2112 wrote to memory of 1048	2112	Hbgmcnhf.exe	97
PID 2112 wrote to memory of 1048	2112	Hbgmcnhf.exe	97
PID 2112 wrote to memory of 1048	2112	Hbgmcnhf.exe	97
PID 1048 wrote to memory of 4472	1048	Iiaephpc.exe	98
PID 1048 wrote to memory of 4472	1048	Iiaephpc.exe	98
PID 1048 wrote to memory of 4472	1048	Iiaephpc.exe	98
PID 4472 wrote to memory of 388	4472	Ikpaldog.exe	99
PID 4472 wrote to memory of 388	4472	Ikpaldog.exe	99
PID 4472 wrote to memory of 388	4472	Ikpaldog.exe	99
PID 388 wrote to memory of 1984	388	Ibjjhn32.exe	100
PID 388 wrote to memory of 1984	388	Ibjjhn32.exe	100
PID 388 wrote to memory of 1984	388	Ibjjhn32.exe	100
PID 1984 wrote to memory of 4260	1984	Ipnjab32.exe	101
PID 1984 wrote to memory of 4260	1984	Ipnjab32.exe	101
PID 1984 wrote to memory of 4260	1984	Ipnjab32.exe	101
PID 4260 wrote to memory of 3252	4260	Ifgbnlmj.exe	102
PID 4260 wrote to memory of 3252	4260	Ifgbnlmj.exe	102
PID 4260 wrote to memory of 3252	4260	Ifgbnlmj.exe	102
PID 3252 wrote to memory of 4368	3252	Imakkfdg.exe	103
PID 3252 wrote to memory of 4368	3252	Imakkfdg.exe	103
PID 3252 wrote to memory of 4368	3252	Imakkfdg.exe	103
PID 4368 wrote to memory of 4824	4368	Ibnccmbo.exe	104
PID 4368 wrote to memory of 4824	4368	Ibnccmbo.exe	104
PID 4368 wrote to memory of 4824	4368	Ibnccmbo.exe	104
PID 4824 wrote to memory of 5004	4824	Imdgqfbd.exe	105

C:\Users\Admin\AppData\Local\Temp\6873ce736acc45d3a437f393f85d588b7bd8ee4bf10304227d076d51cba859f7.exe
"C:\Users\Admin\AppData\Local\Temp\6873ce736acc45d3a437f393f85d588b7bd8ee4bf10304227d076d51cba859f7.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\Hkdbpe32.exe
  C:\Windows\system32\Hkdbpe32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\SysWOW64\Hbnjmp32.exe
    C:\Windows\system32\Hbnjmp32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\SysWOW64\Hihbijhn.exe
      C:\Windows\system32\Hihbijhn.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\SysWOW64\Hcmgfbhd.exe
        
        C:\Windows\system32\Hcmgfbhd.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4692
      - C:\Windows\SysWOW64\Hflcbngh.exe
        
        C:\Windows\system32\Hflcbngh.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Heocnk32.exe
        
        C:\Windows\system32\Heocnk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Hijooifk.exe
        
        C:\Windows\system32\Hijooifk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Hfnphn32.exe
        
        C:\Windows\system32\Hfnphn32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Hmhhehlb.exe
        
        C:\Windows\system32\Hmhhehlb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Hcbpab32.exe
        
        C:\Windows\system32\Hcbpab32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Hfqlnm32.exe
        
        C:\Windows\system32\Hfqlnm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Hioiji32.exe
        
        C:\Windows\system32\Hioiji32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Hbgmcnhf.exe
        
        C:\Windows\system32\Hbgmcnhf.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Iiaephpc.exe
        
        C:\Windows\system32\Iiaephpc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Ikpaldog.exe
        
        C:\Windows\system32\Ikpaldog.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Ibjjhn32.exe
        
        C:\Windows\system32\Ibjjhn32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Ipnjab32.exe
        
        C:\Windows\system32\Ipnjab32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Ifgbnlmj.exe
        
        C:\Windows\system32\Ifgbnlmj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Imakkfdg.exe
        
        C:\Windows\system32\Imakkfdg.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Ibnccmbo.exe
        
        C:\Windows\system32\Ibnccmbo.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Imdgqfbd.exe
        
        C:\Windows\system32\Imdgqfbd.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Icnpmp32.exe
        
        C:\Windows\system32\Icnpmp32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Ifllil32.exe
        
        C:\Windows\system32\Ifllil32.exe
        24⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Imfdff32.exe
        
        C:\Windows\system32\Imfdff32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\Ipdqba32.exe
        
        C:\Windows\system32\Ipdqba32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Ibcmom32.exe
        
        C:\Windows\system32\Ibcmom32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Jimekgff.exe
        
        C:\Windows\system32\Jimekgff.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Jmhale32.exe
        
        C:\Windows\system32\Jmhale32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Jbeidl32.exe
        
        C:\Windows\system32\Jbeidl32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Jioaqfcc.exe
        
        C:\Windows\system32\Jioaqfcc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Jlnnmb32.exe
        
        C:\Windows\system32\Jlnnmb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Jbhfjljd.exe
        
        C:\Windows\system32\Jbhfjljd.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\Jfeopj32.exe
        
        C:\Windows\system32\Jfeopj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Jpnchp32.exe
        
        C:\Windows\system32\Jpnchp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Jblpek32.exe
        
        C:\Windows\system32\Jblpek32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Jlednamo.exe
        
        C:\Windows\system32\Jlednamo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\Kboljk32.exe
        
        C:\Windows\system32\Kboljk32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Kfjhkjle.exe
        
        C:\Windows\system32\Kfjhkjle.exe
        41⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Klgqcqkl.exe
        
        C:\Windows\system32\Klgqcqkl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\Kdnidn32.exe
        
        C:\Windows\system32\Kdnidn32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\Kikame32.exe
        
        C:\Windows\system32\Kikame32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Kpeiioac.exe
        
        C:\Windows\system32\Kpeiioac.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Kfoafi32.exe
        
        C:\Windows\system32\Kfoafi32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Kmijbcpl.exe
        
        C:\Windows\system32\Kmijbcpl.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\Kpgfooop.exe
        
        C:\Windows\system32\Kpgfooop.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Kbfbkj32.exe
        
        C:\Windows\system32\Kbfbkj32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Kpjcdn32.exe
        
        C:\Windows\system32\Kpjcdn32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Kfckahdj.exe
        
        C:\Windows\system32\Kfckahdj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Klqcioba.exe
        
        C:\Windows\system32\Klqcioba.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\Kdgljmcd.exe
        
        C:\Windows\system32\Kdgljmcd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\Liddbc32.exe
        
        C:\Windows\system32\Liddbc32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Ldjhpl32.exe
        
        C:\Windows\system32\Ldjhpl32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Lekehdgp.exe
        
        C:\Windows\system32\Lekehdgp.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Lpqiemge.exe
        
        C:\Windows\system32\Lpqiemge.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\Lmdina32.exe
        
        C:\Windows\system32\Lmdina32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Lbabgh32.exe
        
        C:\Windows\system32\Lbabgh32.exe
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\Lmgfda32.exe
        
        C:\Windows\system32\Lmgfda32.exe
        62⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Lbdolh32.exe
        
        C:\Windows\system32\Lbdolh32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\Lingibiq.exe
        
        C:\Windows\system32\Lingibiq.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Mdckfk32.exe
        
        C:\Windows\system32\Mdckfk32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Mbfkbhpa.exe
        
        C:\Windows\system32\Mbfkbhpa.exe
        66⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\Mipcob32.exe
        
        C:\Windows\system32\Mipcob32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Mlopkm32.exe
        
        C:\Windows\system32\Mlopkm32.exe
        68⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Mdehlk32.exe
        
        C:\Windows\system32\Mdehlk32.exe
        69⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\Mmnldp32.exe
        
        C:\Windows\system32\Mmnldp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1584
        
        C:\Windows\SysWOW64\Mckemg32.exe
        
        C:\Windows\system32\Mckemg32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1920
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        73⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        74⤵
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        75⤵
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        76⤵
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        78⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        79⤵
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        81⤵
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4720
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        88⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3768
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        100⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        102⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        106⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        109⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        112⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        115⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5728
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        125⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        128⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        129⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        136⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        140⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        146⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5564
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        154⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 396
        157⤵
        Program crash
        
        PID:5888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5304 -ip 5304
1⤵
PID:5592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
96KB

MD5
ff970dc7d64ae981ef6e309c9c346086

SHA1
3d250367c6cb379e9972ec20d67aa5ff1baf246e

SHA256
b347560e1c43f4cdd36898ab69dc99fc80d0579da44676011a8cb49cbdfc9c75

SHA512
3b3e778c2600e66babdc6a213bb9cb6f188f62227f3d3b5ec886701fbf87fb6c81d13dc369a8ebd6048705902561cd04327410db812b3c2850d41424c122bf3d

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
64KB

MD5
d45b3062a756e2d0e14c3bdde5708946

SHA1
9a581b03c40becc1ab9e6577e1962265b7155246

SHA256
3fb1951d53e112d1fc2cdc2e74fc7658dab968aecf25f87775a0da6e32c49974

SHA512
940ba184e82ba810cd68c42ea4cc458dd601243750a52838a351e3ad50c47734c0a962d6fe8b1168c9ebd3ebd088f9a4dd21fcd1bae89b29b88391e0325dc3f9

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
96KB

MD5
e5d3da0652de181637d378a3d125c721

SHA1
d019580552ed8e5e2d0013e3063b8e26d29db203

SHA256
62cb99f2b459d8b55977c017a32d215f91869d64593f63ea0aac224f1b51e06b

SHA512
ed22ad91116debc4b66edacd3cdd6be0e7e81c16c5151bde8edbdd3179dc4e3c1cc285bc94a4923b1f82ff8d6f866b2d345e21f6799d4685dbb384ca7facb4dc

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
96KB

MD5
49187d8fec503b664e313da9a8d464de

SHA1
900eee04f6d1b1f564e92310d9a06c4c5f0db8bd

SHA256
48146bd711f03571d79e498e9c98ba0f540712c6086c7e509f9a3a1ac6b82bf5

SHA512
cac103cf580758f7f5af3baf78c14417f8fab8329f40f50558d72d7cc4380b5867cbd357011104c1cea908e4c2108db0ccafd05d14a72cfc286f7bf44f08dc91

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
96KB

MD5
63f68158472e57619fa006adda0e15af

SHA1
cda08dcf9238204bfec76576e0bd615d4c152c88

SHA256
da12b3d171da2e57eed09cb26d09a3529dc4b7927b022df40df23358b09b77df

SHA512
aff5fb07615dc71e93d41fa4144fb7d4ae758d95c2811893a54faab56f517c6eed881479dbf973a4b829dc154055b9e0011d901aae4ca4eb85a4e75d4e52af5a

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
96KB

MD5
5407b609688184fbe3f7a1748c74f6d8

SHA1
0f94272bee49cec48fbe701ea9a3b212fc029073

SHA256
9c6747732b59f92b364991ee3972ef722705e47d43ebbafd4b1acb6352a100c5

SHA512
c9a8e830a52625a2d0c86c61879f6697a388a873fcaabfdd51a7ba2ed7d0b4e86272b7ba77316a3695e5eaa16255c888c50d5ca616aed4b8c13ef2d7d8d05b0a

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
96KB

MD5
7e29437f15a37f6330e9f40dca30ef68

SHA1
bbcb8536c6b929ec20ea9321aa8abd155c712322

SHA256
4f0aec9c32e67dc7324bae26ab09b3f04eb6dcda8759d609de607e493613bfe5

SHA512
f788ba3b86966c6be7a18f8ad715167d380d42a30009085a7c3bb684c0d5084912b4448ca9f05bbcb85a90491c9cd31fce293e28616bd6b47c8106ad1135585b

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
96KB

MD5
3545286ae36120100eff09106d3bfe5b

SHA1
0c94ab60366effaa5887b1b5adc355694d196108

SHA256
f3bf190f745506e1ccf134c59f965a4eafed7bfe32917164251dacf2c1c9eaad

SHA512
91cee345c95596e6c21f3f77da83efc470b81870857c510293900e03120b4878482768b84ab5535ba36eb455ef003a744e21424f7528e8b97ecb5caa2c4b738d

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
ecebf80315a997dffb0341578435ec62

SHA1
70ded8b1861d23a58c923f8e439d16f5351ef593

SHA256
79af7c5e9f9af0d3d3426b349abe13d78f90820c8e9b573be97fd60b6e10b010

SHA512
ad19beded866bf4135524623dcf3bbf6cb163a672e6c3e2b76e1c60568d9553b301dbdabccde3943e957e8c3c1ef3805a47d589073c3dee6a47c7f6e26a0e4df

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
5b71cc44d5df40bb5cda1d922cb1758c

SHA1
65fba6d86599f4ebe554e2abac991d4eb885b320

SHA256
f2fc89a7a134cdba2023ac1e8ad3b1a2e9b3e0e51783d1792427e5c272b47623

SHA512
fe3a84f563f08188886653cf693479b68ce657a04f8896ed0924e0b26df672fb2514e556ff2c9c1879fb739b8839d251bdd8813d6a299a1315154c80e1e47ad9

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
1e6b12cf7634d0dce4f39e499e92fc62

SHA1
075c1c4efb0bb683876d6c12f5c76acc41b0ebb9

SHA256
131011bc9c22f790bfacb10b30434b26da4aa48cdb78fc211aaed0ddf262155e

SHA512
c364f3ed2e3c3ad8344f846bda0b6a2cb9cc568c4b923eb3c7292b1e99cdd1eb71ebefc3989f70f9599303ed53014588164fe90795bcacadc7af844a7dd3d2ad

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
7c7fa225f432c2bf02bbee5abf71f306

SHA1
2f4ad9853bad1670e826380651a31e65c08b9dbd

SHA256
6ccb0c3ae0121fa7628006a3d7d2bbabdf4003351e5457050fc49d1d30d7965c

SHA512
776f71c1ac55d922953eb81581933f143eea62c6eec843b48ed2774106516a01eaff31f0aa57ffe2a394a91ae290fd04f17d363b56ef988f5cbe1d0dfbc6d4bd

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
96KB

MD5
d302db4b8485dac5774f6c46a9d5586c

SHA1
24396bf1d3fabc7193c0f16f0e1d83e14b4fa1dc

SHA256
7378210bf6c682abeb367abd7f23364adf8a551f54e5af57ac5f5a59e91576f8

SHA512
8823c6af3c9bb3e1f4ea78cb8de974570e9d1b8c2669b08d8fa275977d9a0ae53b3777afc2d9c928ab2800c4650ab91bb3c25fb9a9a25d9406e1b401ed65934e

Download Submit
C:\Windows\SysWOW64\Hbgmcnhf.exe

Filesize
96KB

MD5
d4c68eb45b0f837d5a6aba1a061052e2

SHA1
f5693092e02fe7195df46a8319eb11bc94ba61e4

SHA256
2a068eb74685b1ccf8ca009a9c99e999dea0143463827a4fda9c9e9854d5ef6b

SHA512
0639241d30e0b5ce2fbac1f4341fe903517ecd674cfc1a7282867734267faadd3b06483070538661e5f399acb077bdd496719db429e78e47543183fb3e8208bd

Download Submit
C:\Windows\SysWOW64\Hbnjmp32.exe

Filesize
96KB

MD5
da67c2141ae22b3f7da3b3518f3b11bf

SHA1
14e1fe9300b33a07e2c1e3bde2ded841ac9b18df

SHA256
566a8efadc6d7cb6655a2266d6cf28cc986d601b0652e214287b5e65ce577f35

SHA512
a345fa3f5a37582b3bf6b79543e09ba2271fe6afb0e0d614983704b4426cb272f15cb760aa48c551beb495c7d0421ad1d686c37fab85e5bb6aa8117c11d68b99

Download Submit
C:\Windows\SysWOW64\Hcbpab32.exe

Filesize
96KB

MD5
a6d275b1e0ffb278ba7031d9f820e513

SHA1
07621e12bda0767eede73555312e8265cfc50800

SHA256
1032809d71063519e5ca85c684bf2d6a8a6bbe920d0bf0237f7de045d919a60d

SHA512
d506dcc010a0d3be8c83a1fb0ea993e17fb4b4961e78aff3abe8f9f059e772bae5112d6be43e502bce3482d8c78e30d48f54664e6dc1a8f7a77e00e712c97e27

Download Submit
C:\Windows\SysWOW64\Hcmgfbhd.exe

Filesize
96KB

MD5
c23297fe81ae09107e5742cddfd16cf7

SHA1
137fe105e9610a98f7f696cba663e257b88cb086

SHA256
2d8f3b79548478fd3fd3d29fe34024ff85f3f85327df2e3c10637d09637d7c76

SHA512
86701757387962f9312b88e4842dec852ce6aaf0b10ad9757e0ba3cc4145f7cb36ca74b060986fe2b2ed2009f784658b86e36f919042e618296d3edc243596c4

Download Submit
C:\Windows\SysWOW64\Heocnk32.exe

Filesize
96KB

MD5
e8d458cc9ac913d84eaa00ab4cf04bc2

SHA1
e69ef548f2e3abb0fabf6b91a748b746dd2c37de

SHA256
907702a22e4aefd4b33de4d3e0db84c624e75ac490993af0ec393f2683c755d8

SHA512
76cadb538c7e3e0da6c3a702efb6d2229213021c731ca6394eb26711b975967ab8c61ca9306e05e9dfe29bbe7f1bc6a530c475c2bc26b267db0f0619556e6fa5

Download Submit
C:\Windows\SysWOW64\Hflcbngh.exe

Filesize
96KB

MD5
89feb415d19b178bf5cb3981c1e0d48a

SHA1
1d7d9c5b6ea3152bb5f9a212b27d99cf400d0585

SHA256
8507953fe4b6be162f570702f976b7323202c1d058f7def63906f228a257babb

SHA512
d779bf80cc173bec007c7972c505b5e9ca4303ded3300ce20e20e55f264b4ae8059b5a2297b4ed83983510e681481e6504c3a6c2a5fa809d6d7b04741ee896ae

Download Submit
C:\Windows\SysWOW64\Hfnphn32.exe

Filesize
96KB

MD5
a5ccb208cb97adfea9ec951ac9dedf95

SHA1
dd4587d2846d8ae139078eb3cf0fd514d02c88fe

SHA256
4ba0b4d3498c30ce998a0002871a7013fd334600063ec400181d2f65fa10218b

SHA512
ec744cf3fac0be5c87b96df5fd9e97df655dd64949905b00b7baa1f1ef6183abac3534eb2ecb6e7bb0de6a19a9fc8e48ad892e1d5403e43b1c00b1e9cd0e3cfa

Download Submit
C:\Windows\SysWOW64\Hfqlnm32.exe

Filesize
96KB

MD5
411ea5c97114388a0d8682a1fe5d50bd

SHA1
148ec2c8e52adf0ef9cb3d05420fd004b860a0ca

SHA256
db2b78aa9ac9cc92bb0d20be679bfb84678d18d437157e12d3321c6847c12d8c

SHA512
72b417916ca1657b0d53d0abc564618be2a5d0985d0a9210ff7b75d5745ba8317ef3f38089ad26f6e5300ab0ddad90f81c140e29de297e42e396b17fed4848bd

Download Submit
C:\Windows\SysWOW64\Hihbijhn.exe

Filesize
96KB

MD5
387eba31fa417ebe15f5f624e70dacc0

SHA1
e0b897b1c7717f558da5cb1fe389fadf031b5488

SHA256
be34c5d729160d6352ef135472b6e4da01f4e984e16fb13ac8a5e925c7c39449

SHA512
d37134e6ccb3a72db0426fd5ee095ba696c3b32b89acd97f66ecf663c4111025ce91999688905150f8f935c9744a87d2f12752b65eab19196f440e5001fd922b

Download Submit
C:\Windows\SysWOW64\Hijooifk.exe

Filesize
96KB

MD5
2989fac6fed05771ae38bd3342838820

SHA1
d73595baebd48a78ab526b8ce071093016eca9a2

SHA256
128b2f1f6fef675b117c6cbf8689afd4a3afbb0d2f6c4b425f9c1a4cae5bc447

SHA512
f1944872fa19225f50a4d658acfa7c3e97e648a43e353d26161ff82853a890282b1f2602b829b6e19d4713fe855272fb90403ca58ba1cbff96e413086ac0b4c5

Download Submit
C:\Windows\SysWOW64\Hioiji32.exe

Filesize
96KB

MD5
2ac1a24a9e3466b9a684f5c8d61aa92f

SHA1
913e3ee7ae5bb8bc38b19b21a6de89db54f00513

SHA256
56b5124f69167cf3da77986b93a070b33bd6c6f8cc4da1e8e1109630c0b6683b

SHA512
88cc6f0f92be4e8cfe645cbb48e40e5e00aff0f378defd04f4c54f0a4b6fd1cd434992b1b9faf8b3b31505c1180a9102b9a9098fa591941218f2495e2bb7a974

Download Submit
C:\Windows\SysWOW64\Hkdbpe32.exe

Filesize
96KB

MD5
c4516e8a72548f1228b3a05a29926ed2

SHA1
2bcba91a36a6c2616bc3a76d8bd05e83b0d9eee9

SHA256
6a69194c0fed271db32c01b05c27ab9faafac74676cc8b6d9263ceb8f31a691e

SHA512
499c6ac652b6d03214c47f6f40e83c089c4b3282aec23b61924a14878bd760572dd7aab9d4b5172e9d10ef0a87b9f8e39048845b7e12aed055978069bfc02f05

Download Submit
C:\Windows\SysWOW64\Hmhhehlb.exe

Filesize
96KB

MD5
27b0426eef20a88dce2d40f8727b37ea

SHA1
cf54e2d9a9b9e480caaa6f58dd00917f29edb2b0

SHA256
f2b1327b4f6913ad04b8ea2f76a4dd1a1cae0149a30a6e43a577a0bf4c5e73fe

SHA512
b6b8b96f5be541c7908918f171e16a63a1b55ae3bbdf49d997e17c15fa565378ed9b943150c6fa6179a1946554d54582eadecf6f64a78f1f21536ca56ac9e01c

Download Submit
C:\Windows\SysWOW64\Ibcmom32.exe

Filesize
96KB

MD5
153ed4d75d0be658cd9a08d5ffc39dc2

SHA1
40db8f96cb089e18215049999eddf235ac2a2e9a

SHA256
4a1ce61fe412723f2346788e5390c10f0f2861e792368fa98fe491efef2cece1

SHA512
65e52b63b591fb61e7b54a2ee4e99f1887553a6c5177b13a12dad03c01d68bb6e646f5eb8df3d3037e1c4af868a83a63c84ffd3b17582f080d43ebbcd56e2750

Download Submit
C:\Windows\SysWOW64\Ibjjhn32.exe

Filesize
96KB

MD5
4205a4bb1697068ef13692e17e416814

SHA1
9a277a3c9846cba025cdab24d4c079258e993d62

SHA256
84cbf020fc79bb4e4094a8e839b4a704f2cc80e251de1a4d2b0ab4f271bfe93b

SHA512
68c8a3e25b516288f369676fecedc4ff59fd0c1d5c7b52a3b6f32aa3620af1e2a3ec42a8dc39289a6a80e5af34e83a34d301aa58963a12c89eae93ba7a402809

Download Submit
C:\Windows\SysWOW64\Ibnccmbo.exe

Filesize
96KB

MD5
d674ffb19c6b7fb903dac4a158e97529

SHA1
aefa299b02d674f5c4f609270f24188663d472c4

SHA256
ac0cba73b88cfc4b055a5e5ec3b90ee42f5d8a4729919a216e02329a4d48e45d

SHA512
076aceb0f308b1daa6e2cdfec23a77cc2c5b4ca479527a318edb5b583588a939ffedb6abd9446bc43a082edadd187e9cb557127d53606a16764b96543cd6073f

Download Submit
C:\Windows\SysWOW64\Icnpmp32.exe

Filesize
96KB

MD5
fe7402495d19fb6bf3e64b8e409b5f2f

SHA1
1daec60d3a39128a8ce9158807d822354aeddb84

SHA256
96d69cf936976e10e5b9a248a68b91fe72173e4a733920a93b80101cce96e02e

SHA512
c1d7da289c119717f24bc22b7b285019753a10f328a0fc83a9000b2bd2bfa40f78af884fa7ab67c3231bbadb0ca171ea18d6bf4e3fcf657afb03e27940e8b27a

Download Submit
C:\Windows\SysWOW64\Ifgbnlmj.exe

Filesize
96KB

MD5
40108dc880bbc2926c763469fb771b91

SHA1
3dcadce4051dbbd953c18cac01967f2a9aefa09b

SHA256
cbb54447867cf1bcb5becb0596d8283341546703a7f0b24d1191c3aff45fec40

SHA512
afa465870dff032d56413f91ba379ad4d72410f2779576d2ef2bd2d5f9b78ac2f24b9ad07abe9f73409cbf61ad8ea396b3a6f81cc59afbcf833a89026bd98acf

Download Submit
C:\Windows\SysWOW64\Ifllil32.exe

Filesize
96KB

MD5
f93121998fdbb76504ca39b69d590e06

SHA1
71926c982a34152954776daca97d91c4e75cbec1

SHA256
bb3f28153dfdf9fc27b670ced42ac58750086cb88a5300092e5320de2084ae9d

SHA512
385af7ca3635ba9eee1aab6687ee2a37cd16bfe8ec6940ec2dac10588ec1a7c159007d2a23caecddd6152a45da6e6b17cc70674e84c9cda1df31e388eff5502b

Download Submit
C:\Windows\SysWOW64\Iiaephpc.exe

Filesize
96KB

MD5
4de6fb9551c93287fc3230cefd777091

SHA1
1e7c75146a21682fecf9f84918ec30375a2f78b6

SHA256
5c0c6b55f88b38be4e52b8a432b30c0ceae60a2e119705e019f608d4805ae570

SHA512
c9ccf7018de6745c06b64b5cf9dd500b2c2cb707883028fcd5762c660a350198cb5dbdc88eb3881e7e2f2cfe9a7b09d44bcc49d574fbabcc64fa14b45876476d

Download Submit
C:\Windows\SysWOW64\Ikpaldog.exe

Filesize
96KB

MD5
3f7b756cfc5045336ac4ca1b2a07e4c8

SHA1
4d6441934648bda916c60b8c23d3c715aed4340a

SHA256
e8afa748a334f4be68c66348493c7407470a78a00c5435f457e1e4958ba27b04

SHA512
8b7a49185b3a7cb7ad03013a22965bed68d13ae71165c3a708c96dc63d1b22ea05bfd15e8605f05cb2b9e25a8e3f92d45999401a6aa88afb34f608d161441c04

Download Submit
C:\Windows\SysWOW64\Imakkfdg.exe

Filesize
96KB

MD5
a627d686c80b4c5e96d5a867ef962c3b

SHA1
2c955c94a02e249371978d0be845deae63174245

SHA256
78f02fb0a77265c62b832b86d89e9c0daee2765db73136c04b87735f1f395646

SHA512
5bd9be38099db38ccd210e70c49faf371e7cdc16e6a3e2c882e3041d305d9a8565b77c7f57151f0fe728f600114a680693832e8406ac0a4681fa052fb4c4aaf8

Download Submit
C:\Windows\SysWOW64\Imdgqfbd.exe

Filesize
96KB

MD5
35b5cacb151af434341bb7372b0eb323

SHA1
b82a0d6348bdc98a0eaf1929e286472a327b82a4

SHA256
005ea42505162af5b20c5c8537737f347f452b7c5b91653fe279812647177140

SHA512
19ff2c53c3520702f55611613c77b66b3159271528fb660514033a71d3cf5d5e08312c48a0cbc378071e74b27445978301007d6a3bb8bf748ca34e68fc7448d1

Download Submit
C:\Windows\SysWOW64\Imfdff32.exe

Filesize
96KB

MD5
50a29921dd6539f2de26284391f682a4

SHA1
e5ba71ed99b9b9f5f343ea468940073de409291c

SHA256
5fcecd8bf44a8e13b97395cf0f7e2facaf7ae5620caae1a5abff8d34126ef7b1

SHA512
c9a7cdeeaf2211f71d578fc06b9a9366d0bb994bf329efd4eb397ed9649a54c7d89472ab2b29266e3e7e7aecbc2da8132ca1c3ac0731c4ebd70a5be85692958d

Download Submit
C:\Windows\SysWOW64\Ipdqba32.exe

Filesize
96KB

MD5
95974d76c5acf0c5c68dd9d849aee37d

SHA1
be202f6534e7d010dc8db2fa294b1f8474f15680

SHA256
84da59be9e49a6b7f761763b9b5553b363468c0ee2eb5348fab3fd743cfddaee

SHA512
11f86fdb7ae4fee765968c32ae026207adefdd4b0f512b1c557847e07f52e9b8ddf425987337f4d23acf438b4f6ea18333cf0f4d29245459a95deed038b240e4

Download Submit
C:\Windows\SysWOW64\Ipnjab32.exe

Filesize
96KB

MD5
b5ea55b876fc5f0f828dea372b7a23e3

SHA1
2554b3df87f9a5dbc0a048c91713eceb08a9c246

SHA256
f43afc1f55efbf790bd2b1e103a30fbf21f99bb2d41fc62a4f22330917ac89b7

SHA512
734141f080f357ebf1583b06868cf95d98cd49e3d60a59e6ba4cc216ed5fbf1daee8ffcabb0c08316120964210f31ad2f5b06ec850cc9c2f371e2850449ce297

Download Submit
C:\Windows\SysWOW64\Jbeidl32.exe

Filesize
96KB

MD5
9b2e7db576b647d6ace3ac825fcd8a7a

SHA1
b806bb29cb162068d07acb290335b2439323e32f

SHA256
6dce1301faa1290fa4fe1c0c9d226207d7e0ce07ee8a1fc9192835f4d15fe7f5

SHA512
2b6db739eb0e3333be2f9a8d6d381049ee1a3e7637b12b06ef86c3b29ce2663b4590e6b51f281eb76123eeac97d5d98d547d67fb2770f5dd0b8620bd5b9180db

Download Submit
C:\Windows\SysWOW64\Jbhfjljd.exe

Filesize
96KB

MD5
957f019f2ce218293d79d06851a1f10d

SHA1
ababf50f3d46e5ec72d3248b46d8ac0e4dcbede0

SHA256
5748bf049abb4e49cb4b93088905b32b3e5ae98f3c5f8f14556a6ee756561107

SHA512
7bea90f3fc010e63c168fbc774288da9a1999dfbfbaa14ddd81662489b83bd34d85520508de17d0569650a8a95a2847da8a2fb2c7766a88aa4cca27313696406

Download Submit
C:\Windows\SysWOW64\Jimekgff.exe

Filesize
96KB

MD5
4aabc5cfa5bfe8671899532e9d7e1592

SHA1
47c73349e0b8553df38ed13842a9fbc3d407b529

SHA256
98679a7c1191e9b08f97e8489d0a346b8ac70261fb60acc7faa30673ad19d651

SHA512
b7fadad3a51a4472adcfdbc1dbf1d7f480a1e99494aa5f6553f009532b20c833ad3dd688be763e10000e30073ba17dcccb710823a4c5b39254b7b786f3c141c1

Download Submit
C:\Windows\SysWOW64\Jioaqfcc.exe

Filesize
96KB

MD5
7a58d7e65e0bc25651236b49e8cc1285

SHA1
9deabfc472b4f9dec89b33ca9b9d532df42f7098

SHA256
e5d092a4e103c01b3008f11676a0a1470dad302fa16967e4371b71aa546b0c51

SHA512
dc83cdf28a709ca52a5cd73bb54d524a0d39a7b80c53a26beb437aea7e953c936a53aaa5081000b6b3e14262da3a69537cd781b202df27d65f143ba6822be73c

Download Submit
C:\Windows\SysWOW64\Jlnnmb32.exe

Filesize
96KB

MD5
cc077c9f9158b080f6e171a64728d873

SHA1
6fe821ed7c2da503b21a00bbdcf4c907822f7c5d

SHA256
bfa1a7327cd392029beb776588fdc138f4cbe890768c20b955da0b03e1eac434

SHA512
1a3b80a3e97f38f525f60fd81c53d94bcb9c23060ebb6c3052f57e62d4376e1a08f3bde5b994f379efe86b5a66deafa9a62d36bfc3ef04fa49fca3ea20f8b642

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
96KB

MD5
3cd1dd62a79e4879e45a1c1291a5cc33

SHA1
99cb63703b4d77164e30db35301d71bb3d61b5ae

SHA256
3b8c0b1d04354c0f859c95fefdad6d0654db2bcec42e96750272377e373b40a6

SHA512
30c57e3dcd8f5d91997424542581ec9292c667c3dd22daa8afbb45af91d28963a783b0e5d38e56c08b5c2a180780d6eb86daf804b19a3f7a9cf759ef55069e2e

Download Submit
C:\Windows\SysWOW64\Kboljk32.exe

Filesize
96KB

MD5
1d31a0add6d726966ff756acd070714c

SHA1
4ca1189b986c25fd1278ec50108fd7024233909b

SHA256
b22b9b063dd7fefced5391a6fb861585d29a78a5665984e421627e2d27289a69

SHA512
82391d6a1cc8f224710a1ec1fa055460c34401a7455944d302663121c490e5e3ddb48f39d5e8a5d68654ba005ce7286ee6dcfab0cef35fa59e0cb070225562f5

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
96KB

MD5
1868977be2c1301a5b9bc9e3fd316df3

SHA1
d4cdd0e5a82fd9612e3579686a4c9f5558cd2dea

SHA256
cb8be4652dac0168696b0afcdfed111b6c935f036819e993b2d0bcd4755b0dc9

SHA512
9df9f182f53cab4c9217013824c46b282a391dc4aa92fbd1cb7dedea0efdc66041aa54a0d0d19b486de8f2d723718c776c33d935e3d3fbfecd4823848b2ab6c4

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
96KB

MD5
06d4b940988bb20a41a3c44a217490e1

SHA1
5abf441ddcf16b117a3480c708859830219e520b

SHA256
f3644cc36b50eebc3816b0492f1bbe3d0082cab07316888fd1820f9d2f26d55f

SHA512
db72cfbce1981353f1dc5aede6774b0d9a5b1476aa1ebafd9122ead48a55ab3a5313e6ec48321d80f7f6ff72140f59d6494588439f443ad4b81c96dcd026c4f1

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
96KB

MD5
e2943689c8ec832182993aa120b0c6e1

SHA1
3ca2eb7a1bec1dafc60438a1856846f27ea1a10d

SHA256
0019ee5919343fcbeac851cac5563eceb5f14b00486f3e4f03bdfde5c5027bff

SHA512
1176d058c6ab1a883d9dff3b3c7eca9f620290d051c4d5fd773a5402d70d99b331db7a613b7f00026d54b733c5912cab3e4577c73c98b9d2f5e3957d956e5e68

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
96KB

MD5
3d43b136b090e8b5501aeed7a35af806

SHA1
bacd82bb5ff89336ff4c09b06b1489e71c0558e8

SHA256
34d4b3912fa8ed5bb6fa908b124b50924ac97c9f42a26ab87103361d7a81c608

SHA512
a03d145a633110492022a63d16bae7bba4f6548988071a223df6d3742079b524ad1b9090ddf9d2d3d2be45ba407fd5adfc4c2e3efe3971be0ab806fb371b55b3

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
96KB

MD5
f052028102591d3e383f500a0a331b5f

SHA1
8a72cc85113f0b59ad0f3b209795c8ddc59cec56

SHA256
cfcef5b980bd21c17b5a5b99b57b55d593fa1bb842de474506134650fd605069

SHA512
031ef324de98c1b8032001a9a5287a133d311083bc992c931d447231c2af747816fcbcbc1848b2c8fac8635c7050782a90e9301228b1c1798edf0840b8b067f6

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
96KB

MD5
4bb3e5f6ca09b617b69b180b891795bd

SHA1
225b83aa8d504cc115a98a9c1a4396757ea6e0d4

SHA256
6ef5e2302c90cf7716fc4dfc2b3aaceb859d8479e7ebfa9e5757c3f9183e0264

SHA512
5193f460bcc5fc9e47da1e0c050e9cc4155f5297d930812e0598bd36f2b534ac2af979104322dfdf767488c5834328eacd3d0547e87c7123085d18084493141b

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
baf9da3f2ca6290f977140e9f3e6d10a

SHA1
395ae636d420c65f441fce405684fda9e18c7f95

SHA256
a7deabf65ef5d50f94bf7d9f6f4602cabe59eda1433ec1a42dc2f55b1700ebcd

SHA512
5a3c66cebf589ea61e583d8a2daf4c86ec772882fd24f87d63ba1aea3f5eeab45e3de1e887c286995e2790ec410669a671dc3a6dfb6942f11b8396e60fe983d8

Download Submit
memory/388-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/540-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/796-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/936-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1072-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2068-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2500-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2808-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3528-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3804-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5368-1075-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5416-1089-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5784-1103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5872-1070-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6020-1096-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6108-1078-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads